CVE-2019-14530

Path traversal and DoS vulnerability in OpenEMR project

Vulnerable function in file: /openemr/custom/ajax_download.php

Conditions:

1. any authorized user
2. for DoS case: directory "/sites/default/documents/cqm_qrda/" must exists on server ( Due to logic of "unlink()" function, path to file must consist only exsisting directories and file in it. )

Vulnerable versions: <5.0.2, Fixed in 5.0.2 version.

Description

Vulnerable variable in this function: fileName, it can be controlled by attacker and there is no any filtration and validation of this.

An attacker can download any file (that is readable by the user www-data) from server storage.

If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.

Not exsisting directory is not big problem, since attacker can make it. Variable "higher_level_path" in upload function /openemr/controller.php?document&upload allow us to provide directory name, where file will be stored, and if this directory not exists ( and "patient_id" variable is numeric and greater than 0 )it will be created with "700" rights and owned by "www-data" user.

It can cause DoS, because attacker can delete some configs/php scripts from server.

Impact

Information disclosure.

Denial of service.

Other

OpenEMR official site

OpenEMR git repo

Patch for this issue

P.S. Special thanks to Brady G. Miller from OpenEMR team for fast response and patches