CVE-2020-28939
📋 TL;DR
OpenClinic version 0.8.2 contains an insecure file upload vulnerability in medical/test_new.php that allows authenticated users with substantial privileges to upload malicious files like PHP web shells. This can lead to arbitrary code execution on the application server, affecting healthcare organizations using this specific version.
💻 Affected Systems
- OpenClinic
📦 What is this software?
Openclinic by Openclinic Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, or complete system takeover
Likely Case
Unauthorized access to patient medical records and sensitive healthcare data
If Mitigated
Limited impact with proper file upload restrictions and privilege separation
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once privileges are obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.3 or later
Vendor Advisory: https://labs.bishopfox.com/advisories/openclinic-version-0.8.2
Restart Required: Yes
Instructions:
1. Backup current installation and data. 2. Download OpenClinic 0.8.3 or later from official source. 3. Replace vulnerable files with patched version. 4. Restart web server and verify functionality.
🔧 Temporary Workarounds
Restrict file upload types
allConfigure web server to block PHP file uploads to medical/test_new.php
# Apache: Add to .htaccess
<FilesMatch "\.(php|php3|php4|php5|phtml|phar)$">
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.php$ {
deny all;
}
Remove vulnerable endpoint
linuxDelete or rename medical/test_new.php file
rm /path/to/openclinic/medical/test_new.php
mv /path/to/openclinic/medical/test_new.php /path/to/openclinic/medical/test_new.php.disabled
🧯 If You Can't Patch
- Implement strict file upload validation allowing only specific safe file types
- Apply principle of least privilege - restrict access to medical/test_new.php to only essential users
🔍 How to Verify
Check if Vulnerable:
Check if OpenClinic version is 0.8.2 and medical/test_new.php exists and accepts file uploadsCheck Version:
grep -r 'version' /path/to/openclinic/ | grep -i '0.8.2'Verify Fix Applied:
Verify version is 0.8.3+ and test that PHP files cannot be uploaded to medical/test_new.php📡 Detection & Monitoring
Log Indicators:
- File uploads to medical/test_new.php with PHP extensions
- Unusual file creation in web directories
- POST requests to medical/test_new.php with file uploads
Network Indicators:
- HTTP POST requests to /medical/test_new.php with file upload content
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND uri="/medical/test_new.php" AND method="POST" AND (file_extension="php" OR file_extension="phar" OR file_extension="phtml")