CVE-2018-15140 in OpenEMR
Summary
by MITRE
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/23/2024
This vulnerability exists in OpenEMR versions prior to 5.0.1.4 within the portal/import_template.php script where a directory traversal flaw allows authenticated portal users to access arbitrary files on the server. The vulnerability specifically manifests when the mode parameter is set to get and the docid parameter is manipulated to traverse directory paths. This represents a critical security weakness that directly violates the principle of least privilege and proper input validation.
The technical flaw stems from insufficient sanitization of user-supplied input in the docid parameter, allowing attackers to craft malicious paths that bypass normal file access controls. When an authenticated patient portal user submits a crafted docid value containing directory traversal sequences such as ../ or ..\, the application processes these sequences without proper validation, enabling access to files outside the intended directory structure. This vulnerability aligns with CWE-22 - Improper Limitation of a Pathname to a Restricted Directory and represents a classic path traversal attack vector that has been documented across numerous web applications.
The operational impact of this vulnerability is severe as it allows a malicious authenticated user to potentially access sensitive files including configuration files, database credentials, application source code, and other confidential data stored on the server. An attacker could exploit this to gain unauthorized access to patient records, system configuration details, or even escalate privileges within the application. The vulnerability is particularly dangerous because it requires only portal authentication, which may be obtained through social engineering, credential theft, or other means, making it accessible to threat actors with minimal initial access requirements.
Mitigation strategies should include immediate patching to OpenEMR version 5.0.1.4 or later where this vulnerability has been addressed through proper input validation and sanitization. Organizations should implement proper access controls and validate all user inputs before processing them in file operations. The principle of least privilege should be enforced by ensuring that the application runs with minimal required permissions and that file access is strictly limited to intended directories. Additionally, implementing web application firewalls and input validation rules can help detect and prevent malicious traversal attempts. This vulnerability demonstrates the critical importance of proper input validation and access control mechanisms in web applications and aligns with ATT&CK technique T1078 - Valid Accounts and T1566 - Phishing to highlight the potential attack vectors and exploitation methods.