CVE-2018-15139
published 2018-08-13CVE-2018-15139: Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.27%
97.0th percentile
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | < 5.0.1.4 | 5.0.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /interface/super/manage_site_files.php containing multipart file uploads with PHP extensions (e.g., .php) in the form_image field, indicating attempted webshell upload. ↗
- →Alert on HTTP GET/POST requests to /sites/default/images/*.php, which indicates execution of an uploaded PHP webshell in the images directory. ↗
- →Detect multipart upload requests to manage_site_files.php where the uploaded file's Content-Type is application/x-php, as used by the exploit to bypass upload restrictions. ↗
- →Detect login attempts to OpenEMR followed immediately by a file upload to manage_site_files.php, as the exploit authenticates then uploads a webshell in sequence. ↗
- ·The vulnerability affects OpenEMR versions prior to 5.0.1.4 only; patched versions restrict PHP file uploads via the images upload form. ↗
- ·Exploitation requires prior authentication (valid admin credentials); unauthenticated attackers cannot directly exploit this vulnerability. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)
exploitdb·2021-07-13·CVSS 8.8
CVE-2018-15139 [HIGH] OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)
---
# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)
# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
# Date: 2021-07-05
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml
# Version: [--debug]
#{__FILE__} -h | --help
Options:
Root URL (base path) including HTTP scheme, port and root folder
Filename of the shell to be uploaded
Username of the admin
Password of the admin
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} exploit http://example.org/openemr shell.p
Exploit-DB
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
exploitdb·2021-06-14·CVSS 8.8
CVE-2018-15139 [HIGH] OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
---
# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
# Date 12.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
# Version: Prior to 5.0.1.4
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-15139
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139
'''
Description:
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote
authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload
form and accessing
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163110/OpenEMR-5.0.1.3-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163482/OpenEMR-5.0.1.3-Shell-Upload.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-15139-Exploithttps://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/http://packetstormsecurity.com/files/163110/OpenEMR-5.0.1.3-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163482/OpenEMR-5.0.1.3-Shell-Upload.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-15139-Exploithttps://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
2018-08-13
Published