Open Web Analytics 1.5.4 - (owa_email_address param) - SQL Injection Vulnerability
|| CVE: 2014-1206
|Author: Dana James Traversie
||Vulnerable App: N/A
Dell SecureWorks Security Advisory SWRX-2014-001
Open Web Analytics Pre-Auth SQL Injection
Title: Open Web Analytics Pre-Auth SQL Injection
Advisory ID: SWRX-2014-001
Advisory URL: http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2014-001/
Date published: Thursday, January 9, 2014
CVSS v2 base score: 7.5
Date of last update: Wednesday, January 8, 2014
Vendors contacted: Open Web Analytics
Release mode: Coordinated
Discovered by: Dana James Traversie, Dell SecureWorks
Open Web Analytics (OWA) is open source web analytics software that can track and analyze how visitors use websites and applications. OWA is vulnerable to SQL injection that allows an attacker to execute arbitrary SQL statements in the context of the configured OWA database user without authenticating to the web application.
This vulnerability affects Open Web Analytics v1.5.4.
Vendor Information, Solutions, and Workarounds
The vendor has released an updated version to address this vulnerability. OWA users should upgrade to version v1.5.5 or later.
An SQL injection vulnerability exists in Open Web Analytics v1.5.4 due to insufficient input validation of the ‘owa_email_address’ parameter on the password reset page. The password reset page does not require user authentication. A remote attacker can leverage this issue to execute arbitrary SQL statements in the context of the configured OWA database user. The impact of the vulnerability varies based on the deployment and configuration of the OWA, database, and web server software. Successful exploitation could result in complete loss of confidentiality, integrity, and availability in the OWA database and may affect the entire underlying database management system. This issue could also lead to operating system compromise under the right conditions.
CVSS severity (version 2.0)
Access vector: Network
Access complexity: Low
Impact type: Manipulation of SQL queries and execution of arbitrary SQL commands on the underlying
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial
CVSS v2 base score: 7.5
CVSS v2 impact subscore: 6.4
CVSS v2 exploitability subscore: 10
CVSS v2 vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Proof of concept
POST /owa/index.php?owa_do=base.passwordResetForm HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Date: Fri, 14 Feb 2014 17:03:43 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Type: text/html; charset=UTF-8
Invalid address: qwvhqe2744931d91565ed5b44a1d52746afa0qvbyq<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title> - Open Web Analytics</title>
<!-- HEAD Elements -->
The password hash of the admin user included in the response: e2744931d91565ed5b44a1d52746afa0
1.0 2014-01-09: Initial advisory release
This advisory has been signed with the Dell SecureWorks Counter Threat Unit™ PGP key, which is
available for download at http://www.secureworks.com/SecureWorksCTU.asc.
About Dell SecureWorks
Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and business solutions they trust and value. Recognized as an industry leader by top analysts, Dell SecureWorks provides world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs.
Copyright © 2014 Dell SecureWorks
The most recent version of this advisory may be found on the Dell SecureWorks website at www.secureworks.com. The contents of this advisory may change or be removed from the website without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall Dell SecureWorks be liable for any damages whatsoever arising out of or in connection with the use or further publication or disclosure of this information.