Care2x, is a web application software written using the PHP programming language that allows you to create a hospital information management system. When the software is downloaded through Github or SourceForge, the source code will be included, and you will be able to run the software on your server.
As a result of our researches, we detected SQL Injection vulnerability in "pday", "pmonth", "pyear" parameters in GET request sent to the "nursing-station.php" page in the Care2x hospital information management system application.
How Did We Detect Care2x Hospital Information Management System SQL Injection Vulnerability?
As the Security For Everyone team, we regularly look for vulnerabilities in the software we have chosen to find 0-day. One of the software we chose was the Care2x Hospital Information Management System web application, which serves hospitals. After deciding on the application that we are going to look for vulnerability, we performed the following steps in order:
What To Do?
Although the software was last updated in 2018, we tried to contact the developer after detecting the vulnerability, but we couldn't find anyone relevant to update. Since the software does not receive an update or patch anymore, Security For Everyone team recommends using a more stable web application software that receives updates and patches instead of this software.
Sources