Open Web Analytics 'owa _ email_address 'parameter SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Open Web Analytics <= 1.5.4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 64774
CVE (CAN) ID: CVE-2014-1206

Open Web Analytics is an Open source website traffic statistics system.

Openweb Analytics 1.5.4 and earlier versions do not properly filter the index. the "owa_email_address" parameter of php ("owa_do" is set to "base. passwordResetForm "," owa_action "is set to" base. passwordResetRequest "). This vulnerability can cause arbitrary SQL code injection.

<* Source: Dana James Traversie

Link: http://www.securelist.com/en/advisories/56350
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http://www.example.com/owa/index.php? Owa_do = base. passwordResetForm
POST
Owa_submit = Request + New + Password & amp; owa_action = base. passwordResetRequest & amp; owa_email_address = [SQL Injection]

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Open Web Analytics
------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Www.openwebanalytics.com

Open Web Analytics:
Http://wiki.openwebanalytics.com/index.php? Title = 1.5.5

Refer:
Dell SecureWorks:
Http://www.secureworks.com/advisories/SWRX-2014-001/SWRX-2014-001.pdf