module

Open Web Analytics 1.7.3 - Remote Code Execution (RCE)

Disclosed	Created
Mar 18, 2022	Mar 17, 2023

Disclosed

Mar 18, 2022

Created

Mar 17, 2023

Description

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive
user information, which can be used to gain admin privileges by leveraging cache hashes.
This occurs because files generated with ' by the PHP interpreter.

Authors

Jacob Ebben
Dennis Pfleger

Platform

PHP

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/multi/http/open_web_analytics_rce
    msf exploit(open_web_analytics_rce) > show targets
        ...targets...
    msf exploit(open_web_analytics_rce) > set TARGET < target-id >
    msf exploit(open_web_analytics_rce) > show options
        ...show and set options...
    msf exploit(open_web_analytics_rce) > exploit

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report