← Advisories

OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability

High

Advisory ID

ZSL-2013-5126

Release Date

13 February 2013

Vendor

OpenEMR - http://www.open-emr.org

Affected Version

4.1.1

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Fedora Linux, Apache2, PHP 5.4 MySQL 5.5

Summary

OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on Windows, Linux, Mac OS X, and many other platforms.

Description

The vulnerability is caused due to the improper verification of uploaded files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script thru the 'name' parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.

/library/openflashchart/php-ofc-library/ofc_upload_image.php:
----------------------

$default_path = '../tmp-upload-images/';
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
$destination = $default_path . basename( $_GET[ 'name' ] );
echo 'Saving your image to: '. $destination;
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);
exit();

Proof of Concept

openemr_shell.phpTXT

Disclosure Timeline

14.02.2013Vendor releases patch 4.1.1-Patch-10 to address this issue.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://cxsecurity.com/issue/WLB-2013020094

[2]http://packetstormsecurity.com/files/120274

[3]http://www.securityfocus.com/bid/37314

[4]http://1337day.com/exploit/20359

[5]http://www.open-emr.org/wiki/index.php/OpenEMR_Patches