Open Web Analytics <= 1.5.6 (queue.php) PHP Object Injection Vulnerability
• Software Link:
http://www.openwebanalytics.com
• Affected Versions:
All versions from 1.2.2 to 1.5.6.
• Vulnerability Description:
The vulnerable code is located in the /queue.php script:
40$owa->setSetting('base', 'is_remote_event_queue', true);
41$owa->e->debug($_POST);
42$raw_event = owa_coreAPI::getRequestParam('event');
43
44if ( $raw_event ) {
45
46 $dispatch = owa_coreAPI::getEventDispatch();
47 $event = unserialize( base64_decode( $raw_event ) );
48 $owa->e->debug(print_r($event,true));
49 $dispatch->asyncNotify($event);
50}Input passed through the “owa_event” POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function at line 47. This could be exploited to change certain configuration options or create a file containing arbitrary PHP code via specially crafted serialized objects.
• Solution:
Update to version 1.5.7.
• Disclosure Timeline:
[21/02/2014] – Request for contact details
[23/02/2014] – Vendor response
[24/02/2014] – Vendor notified
[27/02/2014] – Vendor releases updates
[10/03/2014] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-2294 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano, Secunia Research.