Path traversal and DoS vulnerability in OpenEMR project
Vulnerable function in file: /openemr/custom/ajax_download.php
Conditions:
- any authorized user
- for DoS case: directory "/sites/default/documents/cqm_qrda/" must exists on server ( Due to logic of "unlink()" function, path to file must consist only exsisting directories and file in it. )
Vulnerable versions: <5.0.2, Fixed in 5.0.2 version.
Vulnerable variable in this function: fileName
, it can be controlled by attacker and there is no any filtration and validation of this.
An attacker can download any file (that is readable by the user www-data) from server storage.
If the requested file is writable for the www-data user
and the directory /var/www/openemr/sites/default/documents/cqm_qrda/
exists, it will be deleted from server.
Not exsisting directory is not big problem, since attacker can make it. Variable "higher_level_path" in upload function /openemr/controller.php?document&upload
allow us to provide directory name, where file will be stored, and if this directory not exists ( and "patient_id" variable is numeric and greater than 0 )it will be created with "700" rights and owned by "www-data" user.
It can cause DoS, because attacker can delete some configs/php scripts from server.
Information disclosure.
Denial of service.
P.S. Special thanks to Brady G. Miller from OpenEMR team for fast response and patches