Open Web Analytics 1.5.6 PHP Object Injection Vulnerability

Open Web Analytics <= 1.5.6 (queue.php) PHP Object Injection Vulnerability

• Software Link:

http://www.openwebanalytics.com/

• Affected Versions:

All versions from 1.2.2 to 1.5.6.

• Vulnerability Description:

The vulnerable code is located in the /queue.php script:
40
41
42
43
44
45
46
47
48
49
50
	
$owa->setSetting('base', 'is_remote_event_queue', true);
$owa->e->debug($_POST);
$raw_event = owa_coreAPI::getRequestParam('event');
 
if ( $raw_event ) {
 
    $dispatch = owa_coreAPI::getEventDispatch();
    $event = unserialize( base64_decode( $raw_event ) );
    $owa->e->debug(print_r($event,true));
    $dispatch->asyncNotify($event);
}

Input passed through the “owa_event” POST parameter is not properly sanitized before being used in a call to the unserialize() function at line 47. This could be exploited to change certain configuration options or create a file containing arbitrary PHP code via specially crafted serialized objects.

• Solution:

Update to version 1.5.7.

• Disclosure Timeline:

[21/02/2014] – Request for contact details
[23/02/2014] – Vendor response
[24/02/2014] – Vendor notified
[27/02/2014] – Vendor releases updates
[10/03/2014] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-2294 to this vulnerability.

#  0day.today [2018-01-05]  #