OpenEMR security issue# CVE-2019-14530
Path traversal and DoS vulnerability in OpenEMR project
**Vulnerable function in file:** /openemr/custom/ajax_download.php
**Conditions:**
1. any authorized user
2. for DoS case: directory "/sites/default/documents/cqm_qrda/" must exists on server ( Due
to logic of "unlink()" function, path to file must consist only exsisting directories and file in it. )
**Vulnerable versions:** <5.0.2, Fixed in 5.0.2 version.
## Description
Vulnerable variable in this function: `fileName`, it can be controlled by attacker and there is no any filtration and validation of this.
An attacker can download any file (that is readable by the user www-data)
from server storage.
If the requested file is writable for the www-data user
and the directory `/var/www/openemr/sites/default/documents/cqm_qrda/`
exists, it will be deleted from server.
Not exsisting directory is not big problem, since attacker can make it. Variable "higher_level_path" in upload function ` /openemr/controller.php?document&upload` allow us to provide directory name, where file will be stored, and if this directory not exists ( and "patient_id" variable is numeric and greater than 0 )it will be created with "700" rights and owned by "www-data" user.
It can cause DoS, because attacker can delete some configs/php scripts from server.
## Impact
Information disclosure.
Denial of service.
## Other
[OpenEMR official site](https://www.open-emr.org/)
[OpenEMR git repo](https://github.com/openemr)
[Patch for this issue](https://github.com/openemr/openemr/pull/2592)
*P.S. Special thanks to Brady G. Miller from OpenEMR team for fast response and patches*
[4.0K] /data/pocs/57b4d745d257b3dbca75f968b80ffdc7ff66f5d0
├── [587K] Path traversal and DoS.pdf
└── [1.6K] README.md
0 directories, 2 files