[VIM] VERIFY of RFI and XSS in OpenEMR 2.8.2 (was [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion])

Wed Jan 31 14:29:39 EST 2007

No, this is not the case. The report is perfectly valid as shown
through later Bugtraq discussions.

This post is for VIM accuracy and completeness, as well as 
to demonstrate the problems with post-disclosure analysis.

Problem 1 (researcher):
The researcher claims that there is a RFI in import_xml.php in 
Open Conference Systems (ocs). A look at the example RFI shows
that the problem is actually within OpenEMR 2.8.2:

http://localhost/ocs/openemr-2.8.2/custom/import_xml.php?srcdir=evilcod
e

Problem 2 (post-disclosure analyst):
Looking at custom/import_xml.php in OpenEMR 2.8.2 (lines 13-15):
> include_once("../interface/globals.php");
> include_once("$srcdir/patient.inc");
> include_once("$srcdir/acl.inc");

Now tracing back into interface/globals.php:
> $GLOBALS['srcdir'] = "$webserver_root/library";  // line 24
> ...
> $srcdir = $GLOBALS['srcdir']; // line 119

** So at this point we have an apparent dispute.**

However, continuing further into interface/globals.php (lines 240-245):
> // required for normal operation because of recent changes in PHP:
> $ps = strpos($_SERVER['REQUEST_URI'],"myadmin");
> if ($ps === false) {
>     extract($_GET);
>     extract($_POST);
> }

** WHOOPS. The vendor did do the right thing, until those two little
extract statements
were slipped in for "normal operation".**

===================================================================

Additionally, in followup Bugtraq discussions.
There is a XSS in the rootdir parameter in
interface/login/login_frame.php.
This is also confirmed and stems from the same variable overwrite issue
that
caused the above RFI.

http://www.securityfocus.com/archive/1/458465/100/0/threaded
http://www.securityfocus.com/archive/1/458476/100/0/threaded

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 

>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of 
>rkeith at securityfocus.com
>Sent: Montag, 29. Januar 2007 12:28
>To: Vulnerability Information Managers
>Subject: [VIM] [still bogus] V [mike at carstein.kill-9.pl: Re: 
>Open Conference Systems = 2.8.2 Remote File Inclusion] (fwd)
>
>
>This report came up on the weekend and had some conflicting 
>data. The version 
>was wrong for the software specified, and the scipt didnt 
>exist. This new 
>report points to the correct software. However, the report is 
>still bogus 
>as a configruation file (globals.php) called at the beginning of the 
>script clearly defines the specified vulnerable parameter.
>
>--
>Rob Keith
>Symantec
>
>
>----- Forwarded message from Michał Melewski 
><mike at carstein.kill-9.pl> -----
>
>From: =?UTF-8?Q?Micha=C5=82?= Melewski <mike at carstein.kill-9.pl>
>Subject: Re: Open Conference Systems = 2.8.2 Remote File Inclusion
>To: trzindan at hotmail.com
>Cc: bugtraq at securityfocus.com
>Date: Sat, 27 Jan 2007 21:55:56 +0100
>X-Mailer: Evolution 2.8.2.1
>Message-Id: <1169931357.8362.3.camel at localhost>
>
>Dnia 27-01-2007, sob o godzinie 12:52 +0000, trzindan at hotmail.com
>napisał(a):
>> 
>###############################################################
>##########
>> # Open Conference Systems <= 2.8.2 Remote File Inclusion
>> # Download Source : http://pkp.sfu.ca/ocs/download/ocs-1.1.3.tar.gz
>
>> #
>> # Found By        : Tr_ZiNDaN
>> # Location        : TurkeY --  #trzindan at hotmail.fr
>> 
>###############################################################
>#########
>This bug has nothing to do with Open Conference System. This 
>is a bug in
>OpenEMR (http://http://www.oemr.org/)
>
>
>-- 
>Michael "carstein" Melewski  |  "We have no future bacause our present
>carstein()7thguard.net       |  is too volatile. We have only risk
>mobile: 512 357 303          |  management. The spinning of the given
>JID: carstein()gentoo.pl     |  moment's scenarios. Pattern 
>recognition.
>
>--- end forwarded message ---
>