High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in OpenEMR, which can be exploited to perform local file inclusion and arbitrary command execution attacks.
Multiple Local File Inclusion vulnerabilities in OpenEMR: CVE-2012-0991
1.1 Input passed via the “formname” GET parameter to /contrib/acog/print_form.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
The following PoC (Proof of Concept) demostrates the vulnerability:
http://[host]/contrib/acog/print_form.php?formname=…/…/…/etc/passwd%00
1.2 Input passed via the “formname” GET parameter to /interface/patient_file/encounter/load_form.php, /interface/patient_file/encounter/view_form.php and /interface/patient_file/encounter/trend_form.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
The following PoC (Proof of Concept) demostrate the vulnerabilities:
http://[host]/interface/patient_file/encounter/load_form.php?formname=…/…/ …/etc/passwd%00
http://[host]/interface/patient_file/encounter/view_form.php?formname=…/…/ …/etc/passwd%00
http://[host]/interface/patient_file/encounter/trend_form.php?formname=…/… /…/etc/passwd%00
Successful exploitation of these vulnerabilities requires that the attacker is registered and logged-in.
Arbitrary Command Execution vulnerabilities in OpenEMR: CVE-2012-0992
Input passed via “file” parameter to /interface/fax/fax_dispatch.php is not properly sanitised before being used in an “exec()” call.
This can be exploited to execute arbitrary system commands.
The following PoC (Proof of Concept) demostrates the vulnerability:
http://[host]/interface/fax/fax_dispatch.php?file=1%27%20||%20ls%20%3E%20123 %20||
Successful exploitation of this vulnerability requires that the attacker is registered and logged-in.