Elxis CMS Forum

Support => Public Speaking => Topic started by: CREATIVE Options on December 08, 2010, 09:43:32

Title: Google Website Optimizer Security Bug and How to Fix It
Post by: CREATIVE Options on December 08, 2010, 09:43:32

Yesterday I received an email as a Google Website Optimizer user sharing that the scripts used on landing pages for GWO tracking can cause a security issue:

    We are writing to inform you of a potential security issue with Website Optimizer. By exploiting a vulnerability in the Website Optimizer Control Script, an attacker might be able to execute malicious code on your site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack. While the immediate probability of this attack is low, we urge you to take action to protect your site.

Fortunately, Google has addressed the problem, but website owners using Website Optimizer need to fix the test page code immediately. Google suggested you stop current experiments and update the code by creating a new experiment with new code:

    Creating a New Experiment

       1. Stop any currently running Website Optimizer experiments
       2. Remove all the Website Optimizer scripts from your site
       3. Create a new experiment as normal. New experiments are not vulnerable.

However, if you prefer to take the extra steps of leaving your current experiments running and fixing the code, you can also take that approach. Here are the instructions on how to do that from Google:

       1. Locate the Control Script on your site. It looks like this:

    A/B Test Control Script
   

Code: [Select]

<!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){}
    (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
    if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
    length+1,j<_x0030__x003f_c.length:j_x0029__x007d__x007d__x007d_var x="f('__utmx'),xx=f('__utmxx'),h=l.hash;">
    d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script><script>utmx("url",'A/B');</script>
    <!-- End of Google Website Optimizer Control Script -->
    Multivariate Test Control Script
   

Code: [Select]

<!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){}
    (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
    if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
    length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
    d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script>
    <!-- End of Google Website Optimizer Control Script -->
       1. Locate the following in the Control Script:

Code: [Select]

return c.substring(...       2. Modify the following line as shown:
          BEFORE:

Code: [Select]

return c.substring(i+n.length+1,j<0?c.length:j)          FIXED:

Code: [Select]

return escape(c.substring(i+n.length+1,j<0?c.length:j))          Make sure to include the final closing parenthesis

Code: [Select]

“)”
    Fixed A/B Control Script
   

Code: [Select]

<!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){} (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
    return escape(c.substring(i+n.length+1,j<0?c.length:j))}}}
    var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script><script>utmx("url",'A/B');
    </script>
    <!-- End of Google Website Optimizer Control Script -->
    Fixed Multivariate Control Script
 

Code: [Select]

  <!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){}
    (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
    if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
    return escape(c.substring(i+n.length+1,j<0?c.length:j))}}}
    var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script>
    <!-- End of Google Website Optimizer Control Script -->
You’ll need to replace the k=XXXXXXXXX in the code above with the appropriate ID from your experiment.
After the code is updated, there is no need to stop the experiments or create new experiments to replace them.
All new experiments starting today will use the new code and thus will not have the security flaw.