CVE-2020-27233, CVE-2020-27234, CVE-2020-27235, CVE-2020-27236, CVE-2020-27237, CVE-2020-27238, CVE-2020-27239, CVE-2020-27240, CVE-2020-27241
Multiple exploitable SQL injection vulnerabilities exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
OpenClinic GA 5.173.3
https://sourceforge.net/projects/open-clinic/
6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OpenClinic GA is an open source fully integrated hospital management solution.
Multiple SQL injections exist in the due to a lack of filtering applied in the ‘getAssets.jsp’ source file and underlying ‘be.Asset.Asset.java’ Java class when input parameters are used to create Asset object as seen below:
Asset findObject = new Asset();
findObject.code = sCode;
findObject.nomenclature = sNomenclatureCode;
findObject.description = sDescription;
findObject.serialnumber = sSerialnumber;
findObject.comment9 = sAssetStatus;
findObject.supplierUid = sSupplierUID;
findObject.serviceuid = sServiceUid;
findObject.comment15=sCompNomenclatureCode;
findObject.comment16=sComponentStatus;
if(sPurchasePeriodBegin.length() > 0){
findObject.purchasePeriodBegin = ScreenHelper.parseDate(sPurchasePeriodBegin);
}
if(sPurchasePeriodEnd.length() > 0){
findObject.purchasePeriodEnd = ScreenHelper.parseDate(sPurchasePeriodEnd);
}
List assets = Asset.getList(findObject);
String sReturn = "";
After above object is construct the SQL query is created and, eventually, executed as seen below:
[...]
if (findItem.code.length() > 0) {
sSql = sSql + " AND (OC_ASSET_CODE = '" + findItem.code + "' or OC_ASSET_SERVERID||'.'||OC_ASSET_OBJECTID = '" + findItem.code + "')";
}
if (ScreenHelper.checkString(findItem.description).length() > 0) {
sSql = sSql + " AND OC_ASSET_DESCRIPTION LIKE '%" + findItem.description + "%'";
}
if (ScreenHelper.checkString(findItem.serviceuid).length() > 0) {
sSql = sSql + " AND OC_ASSET_SERVICE LIKE '" + findItem.serviceuid + "%'";
}
if (ScreenHelper.checkString(findItem.serialnumber).length() > 0) {
sSql = sSql + " AND OC_ASSET_SERIAL LIKE '%" + findItem.serialnumber + "%'";
}
if (ScreenHelper.checkString(findItem.assetType).length() > 0) {
sSql = sSql + " AND OC_ASSET_TYPE = '" + findItem.assetType + "'";
}
if (ScreenHelper.checkString(findItem.comment9).length() > 0) {
sSql = sSql + " AND OC_ASSET_COMMENT9 = '" + findItem.comment9 + "'";
}
if (ScreenHelper.checkString(findItem.nomenclature).length() > 0) {
sSql = sSql + " AND OC_ASSET_NOMENCLATURE LIKE '" + findItem.nomenclature + "%'";
}
if (ScreenHelper.checkString(findItem.nomenclature).length() > 0) {
sSql = sSql + " AND OC_ASSET_NOMENCLATURE LIKE '" + findItem.nomenclature + "%'";
}
if (ScreenHelper.checkString(findItem.comment15).length() > 0) {
sSql = sSql + " AND OC_ASSET_COMMENT15 LIKE '%" + findItem.comment15 + ";%'";
}
if (ScreenHelper.checkString(findItem.comment16).length() > 0) {
sSql = sSql + " AND EXISTS (select * from OC_ASSETCOMPONENTS where OC_COMPONENT_ASSETUID=OC_ASSET_SERVERID||'.'||OC_ASSET_OBJECTID and OC_COMPONENT_NOMENCLATURE like '" + (ScreenHelper.checkString(findItem.comment15).length() == 0 ? "%" : findItem.comment15) + "' and OC_COMPONENT_STATUS='" + findItem.comment16 + "')";
}
if (ScreenHelper.checkString(findItem.supplierUid).length() > 0) {
sSql = sSql + " AND OC_ASSET_SUPPLIERUID like '%" + findItem.supplierUid + "%'";
}
[...]
supplierUID
parameterThe supplierUID
parameter in the getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=&showinactive=false&serviceuid=&serialnumber=&assetStatus=&componentStatus=&supplierUID=<SQLINJECTION>&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
serviceuid
parameterThe serviceuid parameter in the getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=&showinactive=false&serviceuid=<SQLINJECTION>&serialnumber=&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
description
parameterThe description
parameter in getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=<SQLINJECTION>&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
compnomenclature
parameterThe compnomenclature
parameter in the getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=<SQLINJECTION>y&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
nomenclature
parameterThe nomenclature
parameter in the getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=<SQLINJECTION>&compnomenclature=&description=&showinactive=false&erviceuid=cli.gen&serialnumber=&assetStatus=&componentStatus=&suppplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
code
parameterThe code
parameter in the getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=<SQLINJECTION>&nomenclature=&compnomenclature=&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=&compnentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
assetStatus
parameterThe assetStatus
parameter in the getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=<SQLINJECTION>&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
componentStatus
parameterThe componentStatus
parameter inthe getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759842&code=&nomenclature=&compnomenclature=&description=&showinactive=false&serviceuid=cli.gen&serialnumber=&assetStatus=<SQLINJECTION>&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
serialnumber
parameterThe serialnumber
parameter in the getAssets.jsp
page is vulnerable to unauthenticated SQL injection. The following request would trigger the vulnerability:
GET /openclinic/assets/ajax/asset/getAssets.jsp?ts=1603998759824&code=&nomenclature=&compnomenclature=y&description=&showinactive=false&serviceuid=&serialnumber=<SQLINJECTION>&assetStatus=&componentStatus=&supplierUID=&purchasePeriodBegin=&skip=0&purchasePeriodEnd= HTTP/1.1
Host: [IP]:10080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Referer: http://[IP]:10080/openclinic/main.do?Page=assets/manage_assets.jsp&ts=1603998735385
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
2020-11-19 - Initial contact
2020-12-07 - 2nd contact; copy of advisories issued and vendor acknowledged receipt
2021-02-01 - 60 day follow up; no response
2021-03-09 - 90 day follow up; no response
2021-04-13 - Final notice
Discovered by Yuri Kramarz of Cisco Talos.