OpenMRS Core Path Traversal Vulnerability in ModuleResourcesServlet Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the OpenMRS Core electronic medical record system, specifically in versions 2.7.8 and earlier, as well as 2.8.0 through 2.8.5. The vulnerability exists in the '/openmrs/moduleResources/{moduleid}' endpoint, which is not protected by authentication filters, allowing unauthenticated attackers to exploit the issue. The ModuleResourcesServlet fails to properly validate user-controlled path input, enabling attackers to traverse directories and access arbitrary files on the server, such as '/etc/passwd' and application configuration files containing database credentials. Successful exploitation requires the target deployment to be running on Apache Tomcat versions prior to 8.5.31, where the '..;' path parameter bypass is not mitigated by the container.

Impact

Exploitation of this vulnerability allows for unauthorized directory traversal and arbitrary file reading from the server filesystem, potentially exposing sensitive information such as database credentials and system files like '/etc/passwd'.

Reproduction

To reproduce this vulnerability, send an HTTP request to the '/openmrs/moduleResources/{moduleid}' endpoint with a crafted path that includes directory traversal sequences. The server will respond with the contents of the requested file, such as '/etc/passwd'.

Remediation

Users can upgrade to OpenMRS versions later than 2.7.8 within the 2.7.x branch or to version 2.8.6 and later to address this vulnerability.