漏洞标题
N/A
漏洞描述信息
在OpenEMR 2.8.1 及其更早版本中,当启用 register_globals 时,存在多个 PHP 远程文件包含漏洞。当配置 register_globals 时,允许远程攻击者通过在事件描述符参数中的 URL 执行任意 PHP 代码,包括 (a) billing_process.php,(b) billing_report.php,(c) billing_report_xml.php,和(d) print_billing_report.php 目录下的文件;(e) login.php;(f) interface/batchcom/batchcom.php;(g) interface/login/login.php;(h) main_info.php 和 (i) main.php 目录下的文件;(j) interface/new/new_patient_save.php;(k) interface/practice/ins_search.php;(l) interface/logout.php;(m) custom_report_range.php,(n) players_report.php,和(o) front_receipts_report.php 目录下的文件;(p) facility_admin.php,(q) usergroup_admin.php,和(r) user_info.php 目录下的文件;或 (s) custom/import_xml.php。
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Multiple PHP remote file inclusion vulnerabilities in OpenEMR 2.8.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the srcdir parameter to (a) billing_process.php, (b) billing_report.php, (c) billing_report_xml.php, and (d) print_billing_report.php in interface/billing/; (e) login.php; (f) interface/batchcom/batchcom.php; (g) interface/login/login.php; (h) main_info.php and (i) main.php in interface/main/; (j) interface/new/new_patient_save.php; (k) interface/practice/ins_search.php; (l) interface/logout.php; (m) custom_report_range.php, (n) players_report.php, and (o) front_receipts_report.php in interface/reports/; (p) facility_admin.php, (q) usergroup_admin.php, and (r) user_info.php in interface/usergroup/; or (s) custom/import_xml.php.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
OpenEMR 多个PHP远程文件包含漏洞
漏洞描述信息
OpenEMR存在多个PHP远程文件包含漏洞,当系统启用register_globals时,远程攻击者可通过传给在interface/billing/内的(a)billing_process.php,(b)billing_report.php,(c)billing_report_xml.php和(d)print_billing_report.php; (e)login.php;(f)interface/batchcom/batchcom.php;(g)interface/login/login.php;(
CVSS信息
N/A
漏洞类别
授权问题