Open Web Analytics <= 1.5.6 (queue.php) PHP Object Injection Vulnerability

• Software Link:

http://www.openwebanalytics.com/

• Affected Versions:

All versions from 1.2.2 to 1.5.6.

• Vulnerability Description:

The vulnerable code is located in the /queue.php script:

	$owa->setSetting('base', 'is_remote_event_queue', true);
	$owa->e->debug($_POST);
	$raw_event = owa_coreAPI::getRequestParam('event');
	
	if ( $raw_event ) { 
	
		$dispatch = owa_coreAPI::getEventDispatch();
		$event = unserialize( base64_decode( $raw_event ) );
		$owa->e->debug(print_r($event,true));
		$dispatch->asyncNotify($event);
	}

Input passed through the “owa_event” POST parameter is not properly sanitized before being used in a call to the unserialize() function at line 47. This could be exploited to change certain configuration options or create a file containing arbitrary PHP code via specially crafted serialized objects.

• Solution:

Update to version 1.5.7.

• Disclosure Timeline:

[21/02/2014] – Request for contact details
[23/02/2014] – Vendor response
[24/02/2014] – Vendor notified
[27/02/2014] – Vendor releases updates
[10/03/2014] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-2294 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano, Secunia Research.

• Original Advisory:

http://secunia.com/secunia_research/2014-3