CVE-2017-9380
published 2017-06-02CVE-2017-9380: OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
15.19%
96.3th percentile
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | <= 5.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /controller.php?document&upload containing multipart file uploads with PHP file extensions (e.g., .php) as the filename, indicating attempted webshell upload via the unrestricted file upload vulnerability. ↗
- →Detect the exploit's sequential authentication + patient registration + file upload pattern: POST to main_screen.php?auth=login, then POST to new_comprehensive_save.php, then POST to controller.php?document&upload — all within the same session. ↗
- →Flag HTTP requests where the POST body to /interface/new/new_comprehensive_save.php is immediately followed by a file upload to /controller.php?document&upload from the same source IP, as this matches the exploit's automated patient-creation-then-upload flow. ↗
- →Look for the specific multipart boundary string '-----------------------------370797319835249590062969815666' in HTTP request bodies, which is a static artifact of this exploit script. ↗
- ·The exploit requires valid credentials (authenticated low-privilege user); unauthenticated exploitation is not possible. Detection should account for authenticated sessions preceding the upload. ↗
- ·The vulnerability is exploitable only if the web server serves files from the patient document upload directory. OpenEMR recommends restricting access to this directory, but this is often not enforced. ↗
- ·The exploit uses p0wny-shell as the uploaded webshell payload; detection of the shell's execution patterns (e.g., exec() calls, cwd traversal) may be relevant for post-exploitation detection. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163087/OpenEMR-5.0.0-Remote-Shell-Upload.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2017-9380-Exploithttps://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-002http://packetstormsecurity.com/files/163087/OpenEMR-5.0.0-Remote-Shell-Upload.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2017-9380-Exploithttps://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-002
2017-06-02
Published