CVE-2020-27233, CVE-2020-27234, CVE-2020-27235, CVE-2020-27236, CVE-2020-27237, CVE-2020-27238, CVE-2020-27239, CVE-2020-27240, CVE-2020-27241
Multiple exploitable SQL injection vulnerabilities exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
OpenClinic GA 5.173.3
https://sourceforge.net/projects/open-clinic/
6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OpenClinic GA is an open source fully integrated hospital management solution.
Multiple SQL injections exist in the due to a lack of filtering applied in the ‘getAssets.jsp’ source file and underlying ‘be.Asset.Asset.java’ Java class when input parameters are used to create Asset object as seen below:
Asset findObject = new Asset();
findObject.code = sCode;
findObject.nomenclature = sNomenclatureCode;
findObject.description = sDescription;
findObject.serialnumber = sSerialnumber;
findObject.comment9 = sAssetStatus;
findObject.supplierUid = sSupplierUID;
findObject.serviceuid = sServiceUid;
findObject.comment15=sCompNomenclatureCode;
findObject.comment16=sComponentStatus;
if(sPurchasePeriodBegin.length() > 0){
findObject.purchasePeriodBegin = ScreenHelper.parseDate(sPurchasePeriodBegin);
}
if(sPurchasePeriodEnd.length() > 0){
findObject.purchasePeriodEnd = ScreenHelper.parseDate(sPurchasePeriodEnd);
}
List assets = Asset.getList(findObject);
String sReturn = "";
After above object is construct the SQL query is created and, eventually, executed as seen below:
[...]
if (findItem.code.length() > 0) {
sSql = sSql + " AND (OC_ASSET_CODE = '" + findItem.code + "' or OC_ASSET_SERVERID||'.'||OC_ASSET_OBJECTID = '" + findItem.code + "')";
}
if (ScreenHelper.checkString(findItem.description).length() > 0) {
sSql = sSql + " AND OC_ASSET_DESCRIPTION LIKE '%" + findItem.description + "%'";
}
if (ScreenHelper.checkString(findItem.serviceuid).length() > 0) {
sSql = sSql + " AND OC_ASSET_SERVICE LIKE '" + findItem.serviceuid + "%'";
}
if (ScreenHelper.checkString(findItem.serialnumber).length() > 0) {
sSql = sSql + " AND OC_ASSET_SERIAL LIKE '%" + findItem.serialnumber + "%'";
}
if (ScreenHelper.checkString(findItem.assetType).length() > 0) {
sSql = sSql + " AND OC_ASSET_TYPE = '" + findItem.assetType + "'";
}
if (ScreenHelper.checkString(findItem.comment9).length() > 0) {
sSql = sSql + " AND OC_ASSET_COMMENT9 = '" + findItem.comment9 + "'";
}
if (ScreenHelper.checkString(findItem.nomenclature).length() > 0) {
sSql = sSql + " AND OC_ASSET_NOMENCLATURE LIKE '" + findItem.nomenclature + "%'";
}
if (ScreenHelper.checkString(findItem.nomenclature).length() > 0) {
sSql = sSql + " AND OC_ASSET_NOMENCLATURE LIKE '" + findItem.nomenclature + "%'";
}
if (ScreenHelper.checkString(findItem.comment15).length() > 0) {
sSql = sSql + " AND OC_ASSET_COMMENT15 LIKE '%" + findItem.comment15 + ";%'";
}
if (ScreenHelper.checkString(findItem.comment16).length() > 0) {
sSql = sSql + " AND EXISTS (select * from OC_ASSETCOMPONENTS where OC_COMPONENT_ASSETUID=OC_ASSET_SERVERID||'.'||OC_ASSET_OBJECTID and OC_COMPONENT_NOMENCLATURE like '" + (ScreenHelper.checkString(findItem.comment15).length() == 0 ? "%" : findItem.comment15) + "' and OC_COMPONENT_STATUS='" + findItem.comment16 + "')";
}
if (ScreenHelper.checkString(findItem.supplierUid).length() > 0) {
sSql = sSql + " AND OC_ASSET_SUPPLIERUID like '%" + findItem.supplierUid + "%'";
}
[...]
supplierUID parameterThe supplierUID parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=&showinactive=false&serviceuid=&serialnumber=&assetStatus=&componentStatus=&supplierUID=<SQLINJECTION>&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
serviceuid parameterThe serviceuid parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=&showinactive=false&serviceuid=<SQLINJECTION>&serialnumber=&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
description parameterThe description parameter in getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=<SQLINJECTION>&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
compnomenclature parameterThe compnomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=<SQLINJECTION>y&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
nomenclature parameterThe nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=<SQLINJECTION>&compnomenclature=&description=&showinactive=false&erviceuid=cli.gen&serialnumber=&assetStatus=&componentStatus=&suppplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
code parameterThe code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=<SQLINJECTION>&nomenclature=&compnomenclature=&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=&compnentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
assetStatus parameterThe assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=<SQLINJECTION>&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
componentStatus parameterThe componentStatus parameter inthe getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759842&code=&nomenclature=&compnomenclature=&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=<SQLINJECTION>&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
serialnumber parameterThe serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=&showinactive=false&serviceuid=&serialnumber=<SQLINJECTION>&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
2020-11-19 - Initial contact
2020-12-07 - 2nd contact; copy of advisories issued and vendor acknowledged receipt
2021-02-01 - 60 day follow up; no response
2021-03-09 - 90 day follow up; no response
2021-04-13 - Final notice
Discovered by Yuri Kramarz of Cisco Talos.