Bypass client side restrictions leads to IDOR on creating appointment. in openemr/openemr

Valid

Reported on

Dec 26th 2022

Description

When creating an appointment, a Patient can completely bypass the client side restrictions, and not only can create an appointment in every date he wants, it can also set the duration of the appointment as long as he wants but most important of everything, he can tamper the form_pid and create appointment for other users.

Proof of Concept

  • Login as a Patient on https://demo.openemr.io/openemr/portal
  • Go to the "My appointments section"
  • Schedule a new appointment
  • You can intercept the request right now, and tamper the result, or you can create a regular one and then temper the result on the update
  • Now get the POST request to /openemr/portal/add_edit_event_user.php and tamper the data:
POST /openemr/portal/add_edit_event_user.php?eid=21 HTTP/1.1
Host: demo.openemr.io

form_action=save&form_title=Office+Visit&form_apptstatus=%5E&form_category=5&form_date=2022-12-26&form_hour=8&form_minute=30&form_ampm=1&form_duration=85&form_patient=Test&form_pid=5&form_provider_ae=6&form_comments=test

As you can see here, I've created an appointment on a Date of my own choice, I've set the duration of the appointment to 85 minutes, and I've set the appointment not for me, which I have ID 1 ( Phil Belford) but for the one with ID 5.

And this is the result from the Receptionist view: image

Impact

A patient can create appointments for other users, and can also “cheat” on the date and duration of the appointments

Occurrences

Remove the pid from the form, but get it from the session.

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
openemr/openemr maintainer has acknowledged this report a year ago
Brady Miller validated this vulnerability a year ago

This is fixed is in master branch at https://github.com/openemr/openemr/commit/c1c0805696ca68577c37bf30e29f90e5f3e0f1a9

@leorac, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @leorac !

leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in 7.0.1 with commit c1c080 6 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 6 months ago
add_edit_event_user.php#L308 has been validated
to join this conversation