CVE-2007-0649
published 2007-02-01CVE-2007-0649: Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and…
PriorityP426medium4.3CVSS 2.0
AVNACHAuMCPIPAP
EXPLOIT
EPSS
6.17%
92.6th percentile
Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in custom/import_xml.php or (b) cross-site scripting (XSS) attacks via the rootdir parameter in interface/login/login_frame.php, via vectors associated with extract operations on the (1) POST and (2) GET superglobal arrays. NOTE: this issue was originally disputed before the extract behavior was identified in post-disclosure analysis. Also, the original report identified "Open Conference Systems," but this was an error.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openemr | openemr | <= 2.8.2 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenEMR 2.8.2 - 'Login_Frame.php' Cross-Site Scripting
exploitdb·2007-01-31
CVE-2007-0649 OpenEMR 2.8.2 - 'Login_Frame.php' Cross-Site Scripting
OpenEMR 2.8.2 - 'Login_Frame.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/22348/info
OpenEMR is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects version 2.8.2; other versions may also be vulnerable.
http://www.example.com/openemr/interface/login/login_frame.php?rootdir=[XSS]
Exploit-DB
OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion
exploitdb·2007-01-31
CVE-2007-0649 OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion
OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/22346/info
OpenEMR is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
This issue affects version 2.8.2; other versions may also be vulnerable.
http://www.example.com/openemr-2.8.2/custom/import_xml.php?srcdir=evilcode
No writeups or analysis indexed.
CWE
Improper Control of Dynamically-Identified Variables
mitre_cwe·CVSS 6.4
[MEDIUM] CWE-914 Improper Control of Dynamically-Identified Variables
CWE-914: Improper Control of Dynamically-Identified Variables
The product does not properly restrict reading from or writing to dynamically-identified variables.
Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Application Data. An attacker could modify sensitive data or program variables.
Scope: Integrity. Impact: Execute Unauthorized Code or Commands.
Scope: Other, Integrity. Impact: Varies by Context, Alter Exec
CWE
Variable Extraction Error
mitre_cwe·CVSS 7.5
[HIGH] CWE-621 Variable Extraction Error
CWE-621: Variable Extraction Error
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.
For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality is possible in other interpreted languages, including custom languages.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: M
http://attrition.org/pipermail/vim/2007-January/001254.htmlhttp://attrition.org/pipermail/vim/2007-January/001258.htmlhttp://osvdb.org/33603http://osvdb.org/33609http://securityreason.com/securityalert/2202http://www.securityfocus.com/archive/1/458306/100/0/threadedhttp://www.securityfocus.com/archive/1/458426/100/0/threadedhttp://www.securityfocus.com/archive/1/458456/100/0/threadedhttp://www.securityfocus.com/archive/1/458476/100/0/threadedhttp://www.securityfocus.com/archive/1/458486/100/0/threadedhttp://www.securityfocus.com/archive/1/458565/100/0/threadedhttp://www.securityfocus.com/bid/22346http://www.securityfocus.com/bid/22348http://attrition.org/pipermail/vim/2007-January/001254.htmlhttp://attrition.org/pipermail/vim/2007-January/001258.htmlhttp://osvdb.org/33603http://osvdb.org/33609http://securityreason.com/securityalert/2202http://www.securityfocus.com/archive/1/458306/100/0/threadedhttp://www.securityfocus.com/archive/1/458426/100/0/threadedhttp://www.securityfocus.com/archive/1/458456/100/0/threadedhttp://www.securityfocus.com/archive/1/458476/100/0/threadedhttp://www.securityfocus.com/archive/1/458486/100/0/threadedhttp://www.securityfocus.com/archive/1/458565/100/0/threadedhttp://www.securityfocus.com/bid/22346http://www.securityfocus.com/bid/22348
2007-02-01
Published