OpenClinic GA 5.247.01 - Information Disclosure

EDB-ID:

51994


Author:

VB

Type:

webapps


Platform:

PHP

Date:

2024-04-15


# Exploit Title: OpenClinic GA 5.247.01 - Information Disclosure
# Date: 2023-08-14
# Exploit Author: VB
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
# Software Link: https://sourceforge.net/projects/open-clinic/
# Version: OpenClinic GA 5.247.01
# Tested on: Windows 10, Windows 11
# CVE: CVE-2023-40278

# Details
An Information Disclosure vulnerability was discovered in the printAppointmentPdf.jsp component of OpenClinic GA 5.247.01. The issue arises due to improper handling of error messages in response to manipulated input, allowing an attacker to deduce the existence of specific appointments.

# Proof of Concept (POC)
Steps to Reproduce:

- Access the Vulnerable Component:

- Navigate to the URL: http://[IP]:10088/openclinic/planning/printAppointmentPdf.jsp?AppointmentUid=1.1.
- Manipulating the AppointmentUid Parameter:

- Change the `AppointmentUid` parameter value to test different IDs.

- For example, try different numerical values or formats.
- Observing the Responses:

- Note the system's response when accessing with different `AppointmentUid` values.
- A "document is not open" error indicates the existence of an appointment with the specified ID.
- A different error message or response indicates non-existence.
- Confirming the Vulnerability:

- The differing error messages based on the existence of an appointment confirm the Information Disclosure vulnerability.
- This allows an unauthorized user to deduce whether specific appointments exist without direct access to appointment data. As a result, an attacker could deduce the number of appointments performed by private clinics, surgeries and private doctors.