Listen to this Post
The vulnerability resides in the ModuleResourcesServlet. The getFile() method constructs a filesystem path from user-controlled input without performing path boundary validation. The ModuleUtil.getPathForResource() method strips the module ID prefix but does not sanitize path traversal sequences like “../”. As a result, an attacker can send a crafted HTTP request to the `/openmrs/moduleResources/{moduleid}` endpoint that includes directory traversal payloads. The server resolves the path outside the intended module resources directory and returns arbitrary files from the host filesystem, such as `/etc/passwd` or configuration files containing database credentials. This endpoint is not protected by authentication filters because it serves static resources required for rendering the login page. Therefore, the vulnerability can be exploited by an unauthenticated attacker. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, which do not mitigate the `..;` path parameter bypass. The vulnerability was patched in OpenMRS Core versions 2.1.5, 2.2.1, 2.3.5, 2.4.5, and 2.5.3.
DailyCVE Form
Platform: OpenMRS Core
Version: ≤2.7.8
Vulnerability: Path Traversal
Severity: Medium
Date: 2022-02-22
Prediction: Patch Date: 2022-02-22
Analytics under What Undercode Say
Bash commands to reproduce:
curl -i 'http://target/openmrs/moduleResources/legacyui/../../../../../../etc/passwd'
Vulnerable code snippet:
File file = new File(filterConfig.getServletContext().getRealPath(servletPath));
if (httpRequest.getPathInfo() != null) {
file = new File(file, httpRequest.getPathInfo()); // VULNERABILITY: user-controlled path
}
Exploit
Send a GET request to `/openmrs/moduleResources/{moduleid}/../../../../../../etc/passwd` to read sensitive files. Successful exploitation allows an unauthenticated attacker to access configuration files, database credentials, and other sensitive data from the server filesystem.
Protection from this CVE
Upgrade to OpenMRS Core versions 2.1.5, 2.2.1, 2.3.5, 2.4.5, or 2.5.3. If immediate upgrade is not possible, ensure the application is running on a compliant Servlet container such as Apache Tomcat 8.5.31 or later, which mitigates the path traversal at the container level.
Impact
An unauthenticated attacker can read arbitrary files from the server filesystem, potentially gaining access to sensitive configuration files, database credentials, and other confidential data. This can lead to further exploitation and compromise of the entire system.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
