Openemr Path Traversal

Why it can be dangerous and how to fix it

This article is a part of our Vulnerability Database (back to index)

Path Traversal occurrences in Openemr

In OpenEMR 5.0.1 and earlier, the patient file download interface contains a directory traversal flaw that allows authenticated attackers to download arbitrary files from the host system. (2019-08-20, CVE-2019-3967)

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. (2019-08-13, CVE-2019-14530)

An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php. (2019-05-17, CVE-2018-17180)

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete. (2018-08-13, CVE-2018-15141)

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the "docid" and "content" parameters and accessing it in the traversed directory. (2018-08-13, CVE-2018-15142)

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get. (2018-08-13, CVE-2018-15140)

Why Path Traversal can be dangerous

Relative Path Confusion means that your web server is configured to serve responses to ambiguous URLs. This configuration can possibly cause confusion about the correct relative path for the URL. It is also an issue of resources, such as images, styles etc., which are specified in the response using relative path, not the absolute URL.

If the web browser permits to parse "cross-content" response, the attacker may be able to fool the web browser into interpreting HTML into other content types, which can then lead to a cross site scripting attack (link do XSS).

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free