OpenMRS Core Zip Slip Path Traversal Vulnerability in Module Upload Endpoint

A path traversal vulnerability allowing for Zip Slip attacks has been identified in OpenMRS Core versions 2.7.8 and earlier, as well as in versions 2.8.0 through 2.8.5. The issue arises in the module upload endpoint at POST '/openmrs/ws/rest/v1/module', where uploaded .omod files are automatically extracted. The extraction process in 'WebModuleUtil.startModule()' fails to properly validate ZIP entry paths, allowing crafted archives to write files outside the intended directory. An authenticated attacker with module upload privileges can exploit this flaw to execute arbitrary code by uploading a malicious JSP file and accessing it through the web application.

Impact

Successful exploitation allows authenticated users to upload files outside the intended directory, potentially leading to remote code execution if a JSP file is uploaded and accessed via the web.

Reproduction

To reproduce this vulnerability, upload a malicious .omod file containing a ZIP entry with a path traversal payload, such as 'web/module/../../../../malicious.jsp', to the module upload endpoint via Basic Auth. The server will extract the file, bypassing the incomplete path validation, and write it to a location within the web application root. If the file is a JSP script, accessing it through a browser will trigger server-side execution, achieving remote code execution.

Remediation

Users should update to OpenMRS Core versions later than 2.7.8 in the 2.7.x line or version 2.8.6 and later. Additionally, ensure that the 'module.allow_web_admin' property is consistently enforced across all module upload entry points, including the REST API.