header-logo
Suggest Exploit
vendor:
OpenClinic
by:
VB
4.1
CVSS
MEDIUM
Information Disclosure
200
CWE
Product Name: OpenClinic
Affected Version From: 5.247.01
Affected Version To: 5.247.01
Patch Exists: NO
Related CWE: CVE-2023-40278
CPE: a:openclinic:openclinic:5.247.01
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, Windows 11
2023

OpenClinic GA 5.247.01 – Information Disclosure

An Information Disclosure vulnerability in OpenClinic GA 5.247.01 allows an attacker to infer the existence of specific appointments by manipulating the input to the printAppointmentPdf.jsp component. By observing error messages, an unauthorized user can determine the presence of appointments without direct access to the data, potentially revealing sensitive information about appointments at private clinics, surgeries, and doctors' practices. This vulnerability is identified as CVE-2023-40278.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input to prevent manipulation and ensure that error messages do not leak sensitive information.
Source

Exploit-DB raw data:

# Exploit Title: OpenClinic GA 5.247.01 - Information Disclosure
# Date: 2023-08-14
# Exploit Author: VB
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
# Software Link: https://sourceforge.net/projects/open-clinic/
# Version: OpenClinic GA 5.247.01
# Tested on: Windows 10, Windows 11
# CVE: CVE-2023-40278

# Details
An Information Disclosure vulnerability was discovered in the printAppointmentPdf.jsp component of OpenClinic GA 5.247.01. The issue arises due to improper handling of error messages in response to manipulated input, allowing an attacker to deduce the existence of specific appointments.

# Proof of Concept (POC)
Steps to Reproduce:

- Access the Vulnerable Component:

- Navigate to the URL: http://[IP]:10088/openclinic/planning/printAppointmentPdf.jsp?AppointmentUid=1.1.
- Manipulating the AppointmentUid Parameter:

- Change the `AppointmentUid` parameter value to test different IDs.

- For example, try different numerical values or formats.
- Observing the Responses:

- Note the system's response when accessing with different `AppointmentUid` values.
- A "document is not open" error indicates the existence of an appointment with the specified ID.
- A different error message or response indicates non-existence.
- Confirming the Vulnerability:

- The differing error messages based on the existence of an appointment confirm the Information Disclosure vulnerability.
- This allows an unauthorized user to deduce whether specific appointments exist without direct access to appointment data. As a result, an attacker could deduce the number of appointments performed by private clinics, surgeries and private doctors.