Jump to content
Praetorian503

OpenEMR 4.1.1 Cross Site Scripting

By Praetorian503, in Exploituri

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted

OpenEMR version 4.1.1 suffers from a cross site scripting vulnerability.


OpenEMR 4.1.1 (site param) Remote XSS Vulnerability


Vendor: OpenEMR
Product web page: http://www.open-emr.org
Affected version: 4.1.1

Summary: OpenEMR is a Free and Open Source electronic health records and medical
practice management application that can run on Windows, Linux, Mac OS X, and many
other platforms.

Desc: OpenEMR suffers from a XSS issue due to a failure to properly sanitize user-supplied
input to the 'site' GET parameter in the central 'globals.php' script which is called by
every script. Attackers can exploit this weakness to execute arbitrary HTML and script
code in a user's browser session.


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5129
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5129.php

Vendor: http://www.open-emr.org/wiki/index.php/OpenEMR_Patches


09.02.2013

--


http://localhost/openemr/[DIR]/[SCRIPT]?site="><script>alert(1);</script>

Source: PacketStorm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...