Description

The makeJson method within the owa_template class generates a JSON string in an unsafe manner. This method is utilized within the report.tpl file, where it receives parameters from the URL and generates a JSON string using them without properly sanitizing.

Proof of Concept

The vulnerability exists in the demo verion, so I'll use that for the proof of concept. I did confirm that the vulnerability exists in the latest master version too.

To reproduce this vulnerability you can simple open the following URL: http://demo.openwebanalytics.com/owa/index.php?owa_siteId=c9b7d12e322c7c360fb8f7c72ffe4c41&owa_period=last_seven_days&owa_do=base.reportGeolocation&owa_abc=%22};alert(1);//

In the above URL the parameter owa_abc has been injected with the value "};alert(1);//. This will popup an alert with the value 1 confirming the vulnerability.

Note that this is just an example URL. This code path is used throughout the application.

Impact

There is no CSP policy by default, so it is possible to inject external scripts using this vulnerability. This takes the necessity to put everything in the URL away allowing more complex exploits. It would be possible to call user actions from this, for example reading out data and sending this back to an attackers server, or adding an user account to the system.