CVE-2022-24637: 
PHP vulnerability analysis and mitigation

Open Web Analytics (OWA) before version 1.7.4 contains a vulnerability (CVE-2022-24637) that allows an unauthenticated remote attacker to obtain sensitive user information. The vulnerability was discovered in March 2022 and affects all versions of OWA up to 1.7.3 (NVD, AttackerKB).

The vulnerability stems from a single quote/double quote confusion in the file cache mechanism. This confusion leads to information disclosure through automatically generated PHP cache files. The vulnerability occurs because files generated with cache headers use single quotes instead of double quotes, which affects how escape sequences are handled. This allows attackers to retrieve base64 encoded serialized data containing sensitive information including usernames, hashed passwords, temp_passkeys, and API keys (Devel0pment).

Successful exploitation of this vulnerability allows attackers to obtain sensitive user information, which can be leveraged to gain administrative privileges. The exposed information includes user credentials and API keys that can be used to compromise the system. When chained with other vulnerabilities, it can lead to remote code execution on the underlying webserver (FortiGuard).

The vulnerability was patched in version 1.7.4. The fix includes replacing single quotes with double quotes for cache file headers and footers, including OWA_AUTH_KEY in cache filename calculations, and removing the owa_user entity from the cache entirely. Organizations should upgrade to version 1.7.4 or later to protect against this vulnerability (GitHub).