[Security-news] Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011

security-news at drupal.org security-news at drupal.org
Wed Mar 2 18:49:06 UTC 2016


View online: https://www.drupal.org/node/2679515

   * Advisory ID: DRUPAL-SA-CONTRIB-2016-011
   * Project: Google Analytics Counter [1]     (third-party module)
   * Version: 7.x
   * Date: 2016-March-02
   * Security risk: 12/25 ( Moderately Critical)
     AC:None/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2]
   * Vulnerability: Cross Site Request Forgery

-------- DESCRIPTION
---------------------------------------------------------

The Google Analytics Counter module provides total pageview counts for each
page on a website. In that it is similar to the core Statistics module
counter, but it is much lighter and ultimately faster because it draws on
data from Google Analytics. This is why it is also able to effortlessly count
views of cached pages.

The module doesn't sufficiently protect against cross-site request forgery
when it comes to the configuration reset link on its dashboard page. If the
reset link were to be sent to a user with the right permissions, it could
lead to an unwanted reset of the module's settings (including its OAuth
credentials).


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Google Analytics Counter 7.x-3.x versions prior to 7.x-3.2.

Drupal core is not affected. If you do not use the contributed Google
Analytics Counter [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Google Analytics Counter module for Drupal 7.x, upgrade to
     Google Analytics Counter 7.x-3.2 [5]

Also see the Google Analytics Counter [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * James Williams [7]

-------- FIXED BY
------------------------------------------------------------

   * Tomas Fulopp [8] (the module maintainer)

-------- COORDINATED BY
------------------------------------------------------

   * Michael Hess [9] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].

Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and  securing your site [13].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]


[1] https://www.drupal.org/project/google_analytics_counter
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/google_analytics_counter
[5] https://www.drupal.org/node/2679004
[6] https://www.drupal.org/project/google_analytics_counter
[7] https://www.drupal.org/user/15129
[8] https://www.drupal.org/user/45996
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity



More information about the Security-news mailing list