OpenClinica Community Edition Path Traversal Vulnerability in CRF Data Import Component Allowing Remote Code Execution

A path traversal vulnerability has been identified in OpenClinica Community Edition versions through 3.12.2 and 3.13, specifically within the CRF Data Import component. The vulnerability arises in the ImportCRFData workflow, where the upload handler improperly validates the 'xml_file' parameter, allowing for traversal sequences that write files outside the intended directory. This flaw can be exploited remotely, leading to arbitrary file writes that could be leveraged for remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file writes on the host, with subsequent remote code execution in the context of the servlet container. This could result in a full compromise of the application server.

Reproduction

To reproduce this vulnerability, authenticate as a user with Data Manager or Clinical Research Coordinator privileges. Navigate to the 'Import CRF Data' task and upload a file using the 'xml_file' parameter. The uploaded file can be named with a traversal sequence that targets the web application's deployment directory, such as '../webapps/OpenClinica/shell.jsp'. Include a JSP payload that, when executed, reveals the server's user name, indicating successful exploitation. After uploading, access the uploaded JSP file through the web server to execute the payload, demonstrating the code execution capability.

Remediation

Users are advised not to rely on client-supplied filenames for file uploads. Instead, save uploaded files to a fixed, non-web-accessible directory using server-generated names. Implement checks to reject traversal sequences, absolute paths, and enforce content-type or extension allow-lists. Additionally, validate XML files on the server side. It is recommended to run Tomcat and OpenClinica as non-privileged users, make web directories non-writable, and disable JSP execution if not needed.