Open Web Analytics <= 1.5.6 (queue.php) PHP Object Injection Vulnerability
• Software Link:
http://www.openwebanalytics.com/
• Affected Versions:
All versions from 1.2.2 to 1.5.6.
• Vulnerability Description:
The vulnerable code is located in the /queue.php script:
$owa->setSetting('base', 'is_remote_event_queue', true); $owa->e->debug($_POST); $raw_event = owa_coreAPI::getRequestParam('event'); if ( $raw_event ) { $dispatch = owa_coreAPI::getEventDispatch(); $event = unserialize( base64_decode( $raw_event ) ); $owa->e->debug(print_r($event,true)); $dispatch->asyncNotify($event); }
Input passed through the “owa_event” POST parameter is not properly sanitized before being used in a call to the unserialize() function at line 47. This could be exploited to change certain configuration options or create a file containing arbitrary PHP code via specially crafted serialized objects.
• Solution:
Update to version 1.5.7.
• Disclosure Timeline:
[21/02/2014] – Request for contact details
[23/02/2014] – Vendor response
[24/02/2014] – Vendor notified
[27/02/2014] – Vendor releases updates
[10/03/2014] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-2294 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano, Secunia Research.
• Original Advisory: