Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23069
HistoryJan 11, 2012 - 12:00 a.m.

Multiple vulnerabilities in OpenEMR

2012-01-1100:00:00
High-Tech Bridge
www.htbridge.com
18

0.727 High

EPSS

Percentile

98.1%

JSON

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in OpenEMR, which can be exploited to perform local file inclusion and arbitrary command execution attacks.

  1. Multiple Local File Inclusion vulnerabilities in OpenEMR: CVE-2012-0991
    1.1 Input passed via the “formname” GET parameter to /contrib/acog/print_form.php is not properly verified before being used to include local files.
    This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
    The following PoC (Proof of Concept) demostrates the vulnerability:
    http://[host]/contrib/acog/print_form.php?formname=…/…/…/etc/passwd%00
    1.2 Input passed via the “formname” GET parameter to /interface/patient_file/encounter/load_form.php, /interface/patient_file/encounter/view_form.php and /interface/patient_file/encounter/trend_form.php is not properly verified before being used to include local files.
    This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
    The following PoC (Proof of Concept) demostrate the vulnerabilities:
    http://[host]/interface/patient_file/encounter/load_form.php?formname=…/…/ …/etc/passwd%00
    http://[host]/interface/patient_file/encounter/view_form.php?formname=…/…/ …/etc/passwd%00
    http://[host]/interface/patient_file/encounter/trend_form.php?formname=…/… /…/etc/passwd%00
    Successful exploitation of these vulnerabilities requires that the attacker is registered and logged-in.

  2. Arbitrary Command Execution vulnerabilities in OpenEMR: CVE-2012-0992
    Input passed via “file” parameter to /interface/fax/fax_dispatch.php is not properly sanitised before being used in an “exec()” call.
    This can be exploited to execute arbitrary system commands.
    The following PoC (Proof of Concept) demostrates the vulnerability:
    http://[host]/interface/fax/fax_dispatch.php?file=1%27%20||%20ls%20%3E%20123 %20||
    Successful exploitation of this vulnerability requires that the attacker is registered and logged-in.

CPENameOperatorVersion
openemrle4.1.0

Related

openvas 2
cvelist 2
nvd 2
nuclei 1
cve 2
prion 2
openvas
openvas
OpenEMR Local File Include and Command Injection Vulnerabilities
2012-02-02 00:00:00
OpenEMR Local File Include and Command Injection Vulnerabilities
2012-02-02 00:00:00
cvelist
cvelist
CVE-2012-0992
2012-02-07 21:00:00
CVE-2012-0991
2012-02-07 21:00:00
nvd
nvd
CVE-2012-0992
2012-02-07 21:55:03
CVE-2012-0991
2012-02-07 21:55:03
nuclei
nuclei
OpenEMR 4.1 - Local File Inclusion
2021-07-30 23:04:14
cve
cve
CVE-2012-0992
2012-02-07 21:55:03
CVE-2012-0991
2012-02-07 21:55:03
prion
prion
Code injection
2012-02-07 21:55:00
Directory traversal
2012-02-07 21:55:00

0.727 High

EPSS

Percentile

98.1%

JSON
Related for HTB23069
openvas2cvelist2nvd2nuclei1cve2prion2