bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/xml/webapps/38897.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

78 lines
No EOL
3.2 KiB
Text
Raw Permalink Blame History

OpenMRS 2.3 (1.11.4) Expression Language Injection Vulnerability
Vendor: OpenMRS Inc.
Product web page: http://www.openmrs.org
Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)
OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
Summary: OpenMRS is an application which enables design
of a customized medical records system with no programming
knowledge (although medical and systems analysis knowledge
is required). It is a common framework upon which medical
informatics efforts in developing countries can be built.
Desc: Input passed via the 'personType' parameter is not
properly sanitised in the spring's expression language
support via 'addPerson.htm' script before being used. This
can be exploited to inject expression language (EL) and
subsequently execute arbitrary Java code.
Tested on: Ubuntu 12.04.5 LTS
Apache Tomcat/7.0.26
Apache Tomcat/6.0.36
Apache Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5288
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5288.php
Affected: OpenMRS Core, Serialization.Xstream module, Metadata Sharing module
Severity: Major
Exploit: Remote Code Execution by an authenticated user
Vendor Bug Fixes:
Disabled serialization and deserialization of dynamic proxies
Disabled deserialization of external entities in XML files
Disabled spring's Expression Language support
https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868
https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824
https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1
http://openmrs.org/2015/12/reference-application-2-3-1-released/
https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10
https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3
https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5
https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod
https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod
https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod
OpenMRS platform has been upgraded to version 1.11.5
Reporting module has been upgraded to version 0.9.8.1
Metadata sharing module has been upgraded to version 1.1.10
Serialization.xstream module has been upgraded to version 0.2.10
Who is affected?
Anyone running OpenMRS Platform (1.9.0 and later)
Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3
Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version.
Anyone that has installed the metadatasharing module except for the newly released 1.1.10 version.
02.11.2015
--
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${3*3}&viewType=
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${applicationScope}&viewType=
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=%3Ci%3E${username}&viewType=
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${cookie[%22JSESSIONID%22].value}
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${Condition?%22Ok%22:3%3C2}
Reference in a new issue View git blame Copy permalink