Healthcare CMS: broken bad
Alexander Antukh
OWASP Russia
29/11/2014

Web application framework
“designed to support the development of dynamic websites, web applications,
web services and web resources”

CMS: special purpose
• Enterprise
• Documents
• Web shops
• …
• Healthcare
specially built for hospitals, health systems and clinics and
provide an easy, secure and convenient way to manage medical
data

Korea
“Vizensoft is one of the major
software vendors, especially aimed
at medical organizations in Korea”
http://www.vizenmedical.com

Vizensoft
• Board
• Consultation
• Reservation
• Members
• SMS
• E-MAIL
• Weblog
Typical menu from the
vizensoft admin panel

Vizensoft
Attackers are able to completely
compromise the web application built
upon Vizensoft CMS as they can gain
access to the system and database level
and manage the website as an admin
without prior authentication!
http://bit.ly/1zGCyuW

Vulnerabilities
• Multiple Cross Site Scripting issues (medium)
• Source code disclosure (high)
• Missing Password Policy (high)
• Multiple Unauthenticated SQL Injection issues (critical)
• Admin Backdoor Account (critical)
• Authentication Bypass (critical)
• Arbitrary File Upload (critical)
http://bit.ly/1zGCyuW

Multiple Cross Site Scripting issues
No comments. Nearly
every output parameter
is vulnerable!
„Attackers can execute scripts in a victim’s browser to hijack user sessions,
deface web sites, insert hostile content, redirect users, hijack the user’s browser
using malware, etc“
In fact, even single occurence gives an attacker full control over the web
application in victim‘s context!

Source code disclosure
down.php?path=<path_to_target_file>*
Dotes are filtered, however, files inside /www/… are still accessible!
* link modified according to responsible disclosure policies
// a.k.a. “limited path traversal”
• configuration files with passwords and internal information
• framework source code
• personal users‘ files
• any other protected information

Missing Password Policy
How strong is strong enough?
174125:xGSfdgYq!@44s#abgf
root:Qwerty123
admin:09111989
test:test
a:a
First break-in after information disclosure was (quite often) done due to lack of
password policies!

Multiple SQL Injection issues’ or ‘’=‘
15+ years old, still actual and extremely dangerous
Gives an attacker direct access to database, often
allowing to modify data and even execute arbitrary
code on the server
Unauthenticated attacker could fully exploit the vulnerability all the health
information about registered users is not protected anymore
Lazy-bastard (trivial) way: sqlmap.py

Admin Backdoor Account
id no password registdate
test 3 <cut> 2014-xx-xx
admin 2 <cut> 2014-xx-xx
vizensoft 1 <cut> 2013-xx-xx invisible
SQL injection gives an attacker SHA-1 hash, which can be bruted easily.
When obtained, it poses extreme security risk to anyone who‘s using
the software! Admin cannot modify/disable it!
Symantec Web Gateway // NICE Systems // Recording eXpress // many routers...
http://bit.ly/1yi3hdB

Authentication Bypass
• Something user knows
• Something user has
• Something user is
“The World's Most Misunderstood Programming Language”
Not only client checks alone ain‘t provide necessary level of security –
in the case it let the attacker completely bypass auth process and have
direct access to admin panel by just turning JS off!

Arbitrary File Upload
Filename extension checks are only done on client and not on the server side,
which makes it extremely easy for an attacker to circumvent it and upload a
desired file anyway

Morale
Admin Backdoor Account
Make sure you don‘t have any
backdoors in used systems
Authentication Bypass
Use only reliable and known
methods of auth/auth
Arbitrary File Upload
Make sure you don’t invent the
bicycle
Multiple Cross Site Scripting
issues
Sanitize output
Multiple Unauthenticated SQL
Injection issues
Prepared statements!
Source code disclosure
Avoid dynamic file access and
use whitelisting
Missing Password Policy
a:a is NOT secure enough ;)
Category:Attack

Thank you for your attention!