CVE-2007-0649

Name of the Vulnerable Software and Affected Versions OpenEMR versions 2.8.2 and earlier

Description The issue allows remote attackers to overwrite arbitrary program variables, leading to unauthorized activities. This can be exploited to conduct remote file inclusion attacks via the srcdir parameter in "custom/import xml.php" or cross-site scripting (XSS) attacks via the rootdir parameter in "interface/login/login frame.php". The vulnerability is associated with extract operations on the POST and GET superglobal arrays.

Recommendations For OpenEMR versions 2.8.2 and earlier, update to a version that fixes the variable overwrite vulnerability to prevent remote attackers from overwriting arbitrary program variables. As a temporary workaround, consider restricting access to the custom/import xml.php and interface/login/login frame.php files to minimize the risk of exploitation. Avoid using the srcdir and rootdir parameters in the affected files until the issue is resolved.