OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability

Title: OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability
Advisory ID: ZSL-2013-5126
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 13.02.2013
Summary
OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on Windows, Linux, Mac OS X, and many other platforms.
Description
The vulnerability is caused due to the improper verification of uploaded files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script thru the 'name' parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.

--------------------------------------------------------------------------------

/library/openflashchart/php-ofc-library/ofc_upload_image.php:
----------------------

21: $default_path = '../tmp-upload-images/';
23: if (!file_exists($default_path)) mkdir($default_path, 0777, true);
26: $destination = $default_path . basename( $_GET[ 'name' ] );
28: echo 'Saving your image to: '. $destination;
39: $jfh = fopen($destination, 'w') or die("can't open file");
40: fwrite($jfh, $HTTP_RAW_POST_DATA);
41: fclose($jfh);
46: exit();

--------------------------------------------------------------------------------

Vendor
OpenEMR - http://www.open-emr.org
Affected Version
4.1.1
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Fedora Linux
Apache2, PHP 5.4 MySQL 5.5
Vendor Status
[14.02.2013] Vendor releases patch 4.1.1-Patch-10 to address this issue.
PoC
openemr_shell.php
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2013020094
[2] http://packetstormsecurity.com/files/120274
[3] http://www.securityfocus.com/bid/37314
[4] http://1337day.com/exploit/20359
[5] http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
[6] http://www.exploit-db.com/exploits/24492/
[7] http://secunia.com/advisories/52145/
[8] http://www.osvdb.org/show/osvdb/90222
[9] http://packetstormsecurity.com/files/120403
[10] http://www.metasploit.com/modules/exploit/unix/webapp/openemr_upload_exec
[11] http://www.exploit-db.com/exploits/24529/
[12] http://www.rapid7.com/db/modules/exploit/unix/webapp/open_flash_chart_upload_exec/
[13] http://www.osvdb.org/59051
[14] http://www.open-emr.org/wiki/index.php/Security_Alert_Fixes
[15] http://www.checkpoint.com/defense/advisories/public/2013/cpai-17-jun1.html
Changelog
[13.02.2013] - Initial release
[14.02.2013] - Added vendor status and reference [2], [3], [4] and [5]
[15.02.2013] - Added reference [6], [7] and [8]
[20.02.2013] - Added reference [9], [10] and [11]
[05.10.2014] - Added reference [12] and [13]
[08.10.2014] - Added reference [14]
[19.05.2015] - Added reference [15]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk