Fredrick Young send an interesting tidbit over to me today. Apparently all sites that run Urchin’s console are vulnerable to XSS. Urchin (recently bought by Google) is web tracking software designed for log analysis. It’s actually some of the best software out there in terms of speed of log analysis. I heard rumors that lots of the backend was originally coded in assembler. Cool stuff. Anyway, after a few minutes of looking I found an example of this out on the web. Click here for an example. This brings up a few interesting points.
Firstly, it’s not running on port 80 so the same origin policy is irrelevant. Secondly, lots of people use this software, and lots of the companies who use it need to be PCI compliant, which means that all of the companies who have exposed this interface are now failing PCI. Not so nice.
Also, when locating this particular example I noticed that I don’t think the password protection actually stops you from viewing the logs directly as you can see here. Bummer. Being able to read logs could lead to disclosure of hidden files, internal IP addresses, and all kinds of other things submitted on the URL. Looks like Urchin needs a few patches. I actually like this software a lot and if I had lots of money I’d probably buy it. It’s the same back end as Google Analytics although minus the fact that Google can spy on you and your users. But it’s got a few issues.