CVE-2018-15142 in OpenEMR
Summary
by MITRE
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the "docid" and "content" parameters and accessing it in the traversed directory.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/22/2024
This vulnerability exists in OpenEMR versions prior to 5.0.1.4 within the portal/import_template.php file where a directory traversal flaw allows authenticated portal users to execute arbitrary PHP code. The vulnerability stems from insufficient input validation and sanitization of the docid and content parameters, which are used to write files to the server filesystem. When an attacker authenticates to the patient portal and submits malicious input through these parameters, the application fails to properly validate the file paths, enabling directory traversal attacks that can write PHP files to arbitrary locations within the web root directory.
The technical implementation of this vulnerability follows a classic directory traversal pattern where user-controllable input is directly concatenated into file paths without proper sanitization or validation. The docid parameter typically controls the filename while the content parameter contains the file contents, including potentially malicious PHP code. When these parameters are processed, the application does not adequately check for directory traversal sequences such as ../ or ..\ that would allow the attacker to navigate outside the intended directory boundaries. This flaw enables attackers to write PHP files to locations like the web root or other directories accessible via the web server, effectively creating a backdoor for code execution.
The operational impact of this vulnerability is significant as it transforms a simple authenticated portal access into a full system compromise capability. An attacker with valid patient portal credentials can escalate privileges and execute arbitrary code on the web server, potentially leading to data exfiltration, system reconnaissance, or further lateral movement within the network. The vulnerability affects the confidentiality, integrity, and availability of the OpenEMR system, as unauthorized code execution can result in complete system takeover. This represents a critical security risk for healthcare organizations that rely on OpenEMR for patient data management, as the compromise of such systems can lead to serious privacy violations and regulatory compliance issues.
The vulnerability aligns with CWE-22 Directory Traversal and CWE-94 Code Injection, both of which are categorized under the OWASP Top Ten as critical security risks. From an ATT&CK framework perspective, this vulnerability maps to T1059.007 Command and Scripting Interpreter: PHP and T1566.001 Phishing: Spearphishing Attachment, as it allows for remote code execution through web-based attacks. Organizations should implement immediate mitigations including upgrading to OpenEMR version 5.0.1.4 or later, which includes proper input validation and sanitization for the affected parameters. Additional defensive measures should include implementing proper file path validation, restricting file upload capabilities, and monitoring for suspicious file creation patterns within the web directories. Network segmentation and access controls should also be enforced to limit the potential impact of such vulnerabilities in the event of exploitation.