OpenEMR Path Traversal Vulnerability in DICOM Zip/Export Feature Allowing Arbitrary File Write

A path traversal vulnerability has been identified in OpenEMR versions prior to 8.0.0.2, within the DICOM zip/export feature. The issue arises because the application uses a user-supplied destination for creating zip files, without properly sanitizing for path traversal sequences. This flaw allows an attacker with DICOM upload/export permissions to write files outside the designated directory, potentially under the web root. Such an action could lead to arbitrary file write capabilities and, if executable files like PHP scripts are written, could result in remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file writing outside the intended directory. If the files are written under the web root and a PHP file is uploaded, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, log in as a user with document upload permissions and access to a patient context. Use the document upload feature that accepts DICOM folders. Submit the upload with a malicious 'destination' parameter that includes path traversal sequences, aiming to write a file under the web root. If the zip file is created outside the temporary directory and the specified file can be executed, the vulnerability is confirmed.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been fixed.