Stored HTML injection in Patient chat functionality in openemr/openemr
Reported on
Dec 25th 2022
Description
I've found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users
Proof of Concept
- Login from the patient portal. I've used the demo instance here: http://demo.openemr.io/openemr/portal/index.php?site=&w-
- Go to the chat functionality and write a Payload like this:
<a href=//evil.com>click here</a>
You'll see that unsanitized HTML code will appear on the chat.
- Click on the link to actually be redirected to the evil site.
Impact
In this way it is possible to perform a series of actions ranging from stealing credentials, taking the victim to an arbitrary site, or the possibility of inserting false messages to the victim.
Thanks for the report. A preliminary fix has been posted in PR https://github.com/openemr/openemr/pull/6079/files
Please do not create a CVE # or make this vulnerability public at this time. We will make this fix official about 1 week after we release 7.0.0 patch 3 (7.0.0.3), which will likely be in about 1-3 weeks. After we do that, then will be ok to make CVE # and make it public.
Thanks!
This is fixed is in master branch at https://github.com/openemr/openemr/commit/c1c0805696ca68577c37bf30e29f90e5f3e0f1a9
@leorac, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).
thanks for the report @leorac !