Thanks for your kind words, very much appreciated!

I did read about the unauthenticated access issue and left my comments here: http://ha.ckers.org/blog/20070.....in-urchin/

Back in July, when I was searching some examples in Google also noticed that some sites have the Urchin stats wide open, but I thought this was a configuration problem as opposed to a bug.

Are you guys sure there is a authorization bypass hole?

MustLive, is this a 100% verified issue? Have you guys replicated this in a lab environment? I can’t make it work on my test installation.

No need to paste your words, I read your whole post carefully ;-). I understand that you was first who found this hole and I believe you (and Google also know that you was first who tell them about this XSS). Some people who found this hole after you outstrip you with disclosure, but you was the first discoverer, so you have respect of me and security community.

I understand you with this situation, when other guys officially disclosed your hole before you. This incidents sometimes happens in webappsec world. I regularly have such experience, when people disclosing holes which I first discover before me, or when people disclosing holes many months after my disclosure.

What I wrote in my previous comment (and what I wrote at my site), that there is another hole in Urchin. It is Authorization bypass vulnerability (which as I know was found by RSnake and you didn’t mention it in your post). This one gives possibility to enter into account without any login and password. It is also interesting hole as your XSS.

Copied and pasted from this very same post:

I reported the issue to Google back on Jul 25 and was confirmed by their security team. They are now working on a fix. My original plan was to publish this info after a fix would be released. However, the issue has also been found by other folks about a month ago.

In other words, I do mention that it’s been publicly made a month ago by others, but ALSO that I reported it to Google 2 months ago and that I was waiting for them to fix it BEFORE making it public.

As I wrote at my site month ago (http://websecurity.com.ua/1283/) about this XSS hole in Urchin, RSnake already wrote about this hole. Like you also mentioned about. But as I and RSnake wrote, there is not only XSS, but also Authorization bypass vulnerability in Urchin. Which give possibility to look at statistic without any login and password!

I know that you’re sick of XSS PoCs that only open alert boxes.

I’m not, I like alert boxes :-), especially alert(document.cookie).

Nevertheless, man, nice XSS PoCs and video ;-).