Open Web Analytics <= 1.5.6 (queue.php) PHP Object Injection Vulnerability &#8226; Software Link: http://www.openwebanalytics.com/ &#8226; Affected Versions: All versions from 1.2.2 to 1.5.6. &#8226; Vulnerability Description: The vulnerable code is located in the /queue.php script: 40 41 42 43 44 45 46 47 48 49 50 $owa->setSetting('base', 'is_remote_event_queue', true); $owa->e->debug($_POST); $raw_event = owa_coreAPI::getRequestParam('event'); if ( $raw_event ) { $dispatch = owa_coreAPI::getEventDispatch(); $event = unserialize( base64_decode( $raw_event ) ); $owa->e->debug(print_r($event,true)); $dispatch->asyncNotify($event); } Input passed through the &#8220;owa_event&#8221; POST parameter is not properly sanitized before being used in a call to the unserialize() function at line 47. This could be exploited to change certain configuration options or create a file containing arbitrary PHP code via specially crafted serialized objects. &#8226; Solution: Update to version 1.5.7. &#8226; Disclosure Timeline: [21/02/2014] &#8211; Request for contact details [23/02/2014] &#8211; Vendor response [24/02/2014] &#8211; Vendor notified [27/02/2014] &#8211; Vendor releases updates [10/03/2014] &#8211; Public disclosure &#8226; CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-2294 to this vulnerability.