Improper Privilege Management in openemr/openemr

Valid

Reported on

Sep 24th 2021


Description

A predefined Front desk receptionist have access to the Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function.

Proof of Concept

  • Log in with a Front desk receptionist user

  • Simply open the following URI /openemr/interface/reports/audit_log_tamper_report.php

  • The data is being displayed for the unauthorized user.

Impact

A receptionist user is able to access the Audit Log, where information can gained about the failed login attempts.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
TheLabda modified the report
2 years ago
TheLabda modified the report
2 years ago
We have contacted a member of the openemr team and are waiting to hear back 2 years ago
openemr/openemr maintainer
2 years ago

Maintainer


hi, thanks for the report. This issue has been fixed in OpenEMR's master branch: https://github.com/openemr/openemr/pull/4660. Plan to release a 6.0.0 patch in future with this fix (will likely release patch in several weeks).

TheLabda
2 years ago

Researcher


Hi! Thanks for the response. Can you please mark the issue described above as valid?

Thanks,

Labda

openemr/openemr maintainer validated this vulnerability 2 years ago
thelabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Brady Miller marked this as fixed in 6.1.0 with commit 9c6051 2 years ago
The fix bounty has been dropped
Brady Miller
2 years ago

Maintainer


this was fixed awhile back for the OpenEMR 6.1.0 version

to join this conversation