ID:4280 - Exploit for Input validation error in OpenEMR - CVE-2011-5161

Link to public exploit:

Vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Unrestricted file upload vulnerability in the patient photograph functionality in OpenEMR 4 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the patient directory under documents/. Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type'

Remediation