Skip to content

Wezery/CVE-2019-14530

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-14530

Path traversal and DoS vulnerability in OpenEMR project

Vulnerable function in file: /openemr/custom/ajax_download.php

Conditions:

  1. any authorized user
  2. for DoS case: directory "/sites/default/documents/cqm_qrda/" must exists on server ( Due to logic of "unlink()" function, path to file must consist only exsisting directories and file in it. )

Vulnerable versions: <5.0.2, Fixed in 5.0.2 version.

Description

Vulnerable variable in this function: fileName, it can be controlled by attacker and there is no any filtration and validation of this.

An attacker can download any file (that is readable by the user www-data) from server storage.

If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.

Not exsisting directory is not big problem, since attacker can make it. Variable "higher_level_path" in upload function /openemr/controller.php?document&upload allow us to provide directory name, where file will be stored, and if this directory not exists ( and "patient_id" variable is numeric and greater than 0 )it will be created with "700" rights and owned by "www-data" user.

It can cause DoS, because attacker can delete some configs/php scripts from server.

Impact

Information disclosure.

Denial of service.

Other

OpenEMR official site

OpenEMR git repo

Patch for this issue

P.S. Special thanks to Brady G. Miller from OpenEMR team for fast response and patches

About

OpenEMR security issue

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published