Headline
CVE-2018-15152: OpenEMR Patches - OpenEMR Project Wiki
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.
From OpenEMR Project Wiki
**
6.0.0 Patch (10/19/21)
****Download link****Description**
This is the 3rd patch and also includes changes from prior patches. Please read through the list of modified files to ensure you haven’t customized any of these, since this will copy over this.
Installation instructions****Windows
1. Extract the zipped file into the openemr web directory, and say yes to copying over files
2. Open web browser and go to http://your_server_name_or_ip/openemr/sql_patch.php
(this script will run automatically and patch the database)
(if you are using the Multisite Module, then skip step 2 and follow these instructions)
3. Delete the sql_patch.php file from the openemr web directory
Linux
1. Move the patch file to the openemr web directory, then type 'unzip 6-0-0-Patch-3.zip’, and confirm ok to copy over files.
2. Open web browser and go to http://your_server_name_or_ip/openemr/sql_patch.php
(this script will run automatically and patch the database)
(if you are using the Multisite Module, then skip step 2 and follow these instructions)
3. Delete the sql_patch.php file from the openemr web directory
Fixes and New Features
(note the ones with ** are new with this patch):
- Added Support for Fully Integrated Telehealth Modules; see Lifemesh Telehealth Module for the first integrated third party Telehealth Module (by Sherwin Gaddis)**
- Patient Portal improvements (by Jerry Padgett)**
- Security fixes (fixes by Brady Miller)**
- PHP8 bug fixes (fixes by Jerry Padgett and Stephen Waite)**
- Patient finder fix (fix by Stephen Waite)**
- Billing fixes (fixes by Stephen Waite)**
- EDI history fixes (fixes by Stephen Waite)**
- Fee sheet fix (fix by Stephen Waite)**
- Billing daysheet fix (fix by Stephen Waite)**
- Collection report fix (fix by Stephen Waite)**
- Demographics fixes (fixes by Stephen Waite)**
- Vitals form fix (fix by Jerry Padgett)**
- Unique installation ID fix (fix by Brady Miller)**
- Code types fix (fix by Stephen Waite)**
- Pnote fix (fix by Jerry Padgett)**
- Added setting to turn on/off input of onset/hospitalization date for each visit (by Rod Roark)**
- Security fix (reported by Hagai Wechsler at https://www.whitesourcesoftware.com, fix by Brady Miller)
- WENO Exchange ePrescribing fixes (fixes by Sherwin Gaddis)
- Session and timeout fixes (fixes by Rod Roark, Stephen Waite, Jerry Padgett and Brady Miller)
- Patient portal improvements (by Jerry Padgett)
- Eye form fixes (fixes by Ray Magauran)
- Billing fixes (fixes by Stephen Waite)
- New GAD-7 form (by Ruth Moulton)
- Layout Based Form fix (fix by Rod Roark)
- Backup fixes (fixes by Rod Roark)
- Demographics fix (fix by Ken Chapple)
- Messaging improvement (by Stephen Waite)
- PHP 8 fixes (fixes by Stephen Waite)
- MySQL 8 fix (fix by Rod Roark)
- Security fixes (reported by Hagai Wechsler at https://www.whitesourcesoftware.com, fixes by Brady Miller)
- Eye form fixes (fixes by Ray Magauran)
- Patient portal registration fix (fix by Jerry Padgett)
- WENO Exchange ePrescribing (by Sherwin Gaddis)
- UUID creation optimizations (by Brady Miller)
- Billing fixes (fixes by Stephen Waite)
- sql upgrade optimizations (by Stephen Waite)
- Addition of Johnson & Johnson COVID-19 vaccine (by Stephen Waite)
List of files (6.0.0) Patch 3
.gitignore acknowledge_license_cert.html ccdaservice/serveccda.js ccr/stylesheet/ccr.xsl ci/apache_73_103/docker-compose.yml ci/apache_73_104/docker-compose.yml ci/apache_73_105/docker-compose.yml ci/apache_73_57/docker-compose.yml ci/apache_73_8/docker-compose.yml config/config.yaml contrib/weno/WenoPharmacyDirectory2020-12-13.csv controllers/C_Document.class.php controllers/C_Pharmacy.class.php custom/code_types.inc.php gacl/Cache_Lite/Lite.php interface/billing/billing_report.php interface/billing/edih_view.php interface/billing/edit_payment.php interface/billing/new_payment.php interface/billing/payment_pat_sel.inc.php interface/billing/search_payments.php interface/billing/sl_eob_invoice.php interface/billing/sl_eob_process.php interface/billing/sl_eob_search.php interface/eRxXMLBuilder.php interface/forms/CAMOS/help.html interface/forms/CAMOS/new.php interface/forms/CAMOS/notegen.php interface/forms/LBF/new.php interface/forms/eye_mag/SpectacleRx.php interface/forms/eye_mag/a_issue.php interface/forms/eye_mag/css/style.css interface/forms/eye_mag/js/eye_base.php interface/forms/eye_mag/js/jquery-1-10-2/jquery.min.js interface/forms/eye_mag/js/jquery-panelslider/jquery.panelslider.min.js interface/forms/eye_mag/js/jquery-ui-1-11-4/jquery-ui.min.js interface/forms/eye_mag/js/shortcut.js-2-01-B/shortcut.js interface/forms/eye_mag/php/eye_mag_functions.php interface/forms/eye_mag/php/taskman_functions.php interface/forms/eye_mag/report.php interface/forms/eye_mag/save.php interface/forms/eye_mag/view.php interface/forms/fee_sheet/code_choice/css/code_choices.css interface/forms/fee_sheet/code_choice/templates/code_choices.php interface/forms/fee_sheet/new.php interface/forms/gad7/gad7.inc.php interface/forms/gad7/gad7_javasrc.js interface/forms/gad7/info.txt interface/forms/gad7/new.php interface/forms/gad7/report.php interface/forms/gad7/save.php interface/forms/gad7/table.sql interface/forms/gad7/view.php interface/forms/misc_billing_options/new.php interface/forms/newpatient/common.php interface/forms/newpatient/new.php interface/forms/vitals/templates/vitals/general_new.html interface/globals.php interface/login/login.php interface/main/about_page.php interface/main/authorizations/authorizations.php interface/main/backup.php interface/main/calendar/add_edit_event.php interface/main/calendar/find_patient_popup.php interface/main/calendar/modules/PostCalendar/pnincludes/Date/Calc.php interface/main/calendar/modules/PostCalendar/pnuserapi.php interface/main/dated_reminders/dated_reminders.php interface/main/finder/dynamic_finder.php interface/main/finder/dynamic_finder_ajax.php interface/main/finder/patient_select.php interface/main/messages/css/reminder_style.css interface/main/messages/js/reminder_appts.js interface/main/messages/messages.php interface/main/messages/save.php interface/main/onotes/office_comments.php interface/main/onotes/office_comments_full.php interface/main/tabs/js/tabs_view_model.js interface/main/tabs/js/user_data_view_model.js interface/main/tabs/main.php interface/main/tabs/menu/menus/standard.json interface/main/tabs/templates/tabs_template.php interface/modules/zend_modules/module/Installer/view/installer/installer/index.phtml interface/new/new_comprehensive.php interface/new/new_comprehensive_save.php interface/orders/orders_results.php interface/orders/patient_match_dialog.php interface/patient_file/download_template.php interface/patient_file/encounter/diagnosis.php interface/patient_file/encounter/forms.php interface/patient_file/front_payment.php interface/patient_file/front_payment_cc.php interface/patient_file/history/edit_billnote.php interface/patient_file/history/encounters.php interface/patient_file/merge_patients.php interface/patient_file/report/custom_report.php interface/patient_file/report/patient_report.php interface/patient_file/summary/demographics.php interface/patient_file/summary/demographics_full.php interface/patient_file/summary/demographics_save.php interface/patient_file/summary/pnotes_fragment.php interface/patient_file/summary/stats.php interface/patient_tracker/patient_tracker.php interface/practice/ins_list.php interface/reports/audit_log_tamper_report.php interface/reports/clinical_reports.php interface/reports/collections_report.php interface/reports/criteria.tab.php interface/reports/pat_ledger.php interface/reports/patient_list_creation.php interface/super/edit_globals.php interface/super/edit_layout.php interface/super/edit_list.php interface/themes/colors/utilities/tabs-full.scss interface/themes/core/patient/demographics.scss interface/themes/core/tabs.scss interface/themes/oe-styles/style_manila.scss interface/themes/patientportal-style.scss interface/themes/rtl_style_pdf.css interface/themes/style.scss interface/themes/tabs_style_compact.scss interface/themes/tabs_style_full.scss interface/usergroup/addrbook_list.php interface/usergroup/facilities.php interface/usergroup/mfa_registrations.php interface/usergroup/mfa_totp.php interface/usergroup/mfa_u2f.php interface/usergroup/usergroup_admin.php interface/weno/facilities.php interface/weno/indexrx.php interface/weno/rxlogmanager.php interface/weno/weno.js interface/weno/wenoconnected.php library/ESign/Form/Signable.php library/FeeSheet.class.php library/MedEx/API.php library/MedEx/MedEx.php library/MedEx/MedEx_background.php library/ajax/dated_reminders_counter.php library/ajax/payment_ajax.php library/ajax/sql_server_status.php library/ajax/template_context_search.php library/api.inc library/auth.inc library/classes/Address.class.php library/classes/Installer.class.php library/classes/InsuranceCompany.class.php library/classes/Note.class.php library/classes/Pharmacy.class.php library/classes/Prescription.class.php library/custom_template/ajax_code.php library/custom_template/custom_template.php library/custom_template/personalize.php library/dialog.js library/edihistory/edih_271_html.php library/edihistory/edih_277_html.php library/edihistory/edih_835_html.php library/edihistory/edih_csv_inc.php library/edihistory/edih_io.php library/edihistory/edih_segments.php library/globals.inc.php library/js/CustomTemplateApi.js library/js/CustomTemplateLoader.js library/js/ajax_functions_writer.js library/js/common.js library/js/report_helper.js library/js/utility.js library/options.inc.php library/options.js.php library/patient.inc library/payment.inc.php library/payment_jav.inc.php library/report.inc library/restoreSession.php library/sql_upgrade_fx.php library/uuid.php library/weno_log_sync.php portal/account/account.php portal/account/index_reset.php portal/account/register.php portal/get_profile.php portal/home.php portal/import_template.php portal/import_template_ui.php portal/lib/doc_lib.php portal/lib/download_template.php portal/lib/paylib.php portal/lib/persist.php portal/lib/template_menu.php portal/messaging/messages.php portal/messaging/secure_chat.php portal/patient/_app_config.php portal/patient/_global_config.php portal/patient/fwk/libs/verysimple/IO/Includer.php portal/patient/fwk/libs/verysimple/Phreeze/Dispatcher.php portal/patient/fwk/libs/verysimple/Phreeze/PortalController.php portal/patient/fwk/libs/verysimple/Util/ExceptionThrower.php portal/patient/libs/Controller/AppBasePortalController.php portal/patient/libs/Controller/DefaultController.php portal/patient/libs/Controller/OnsiteActivityViewController.php portal/patient/libs/Controller/OnsiteDocumentController.php portal/patient/libs/Controller/OnsitePortalActivityController.php portal/patient/libs/Controller/PatientController.php portal/patient/libs/Controller/PortalPatientController.php portal/patient/libs/Controller/ProviderController.php portal/patient/libs/Model/DAO/PatientDAO.php portal/patient/libs/Model/DAO/PatientMap.php portal/patient/libs/Reporter/PatientReporter.php portal/patient/scripts/app.js portal/patient/scripts/app/onsitedocuments.js portal/patient/scripts/app/patientdata.js portal/patient/scripts/model.js portal/patient/templates/OnsiteDocumentListView.tpl.php portal/patient/templates/PatientListView.tpl.php portal/patient/templates/ProviderHome.tpl.php portal/portal_payment.php portal/sign/assets/signer_api.js portal/sign/assets/signer_modal.php portal/sign/lib/save-signature.php portal/sign/lib/show-signature.php public/themes/ajax_calendar_ie.css public/themes/compact_style_ash_blue.css public/themes/compact_style_burgundy.css public/themes/compact_style_cadmium_yellow.css public/themes/compact_style_chocolate.css public/themes/compact_style_cobalt_blue.css public/themes/compact_style_coral.css public/themes/compact_style_dark.css public/themes/compact_style_deep_purple.css public/themes/compact_style_dune.css public/themes/compact_style_emerald.css public/themes/compact_style_forest_green.css public/themes/compact_style_light.css public/themes/compact_style_manila.css public/themes/compact_style_mauve.css public/themes/compact_style_mustard_green.css public/themes/compact_style_olive.css public/themes/compact_style_pink.css public/themes/compact_style_powder_blue.css public/themes/compact_style_red.css public/themes/compact_style_sienna.css public/themes/compact_style_solar.css public/themes/compact_style_tangerine.css public/themes/jquery.autocomplete.css public/themes/misc/bootstrap_navbar.css public/themes/misc/edi_history_v2.css public/themes/misc/encounters.css public/themes/misc/labdata.css public/themes/misc/rtl_bootstrap_navbar.css public/themes/misc/rtl_edi_history_v2.css public/themes/misc/rtl_encounters.css public/themes/misc/rtl_labdata.css public/themes/misc/rtl_rules.css public/themes/misc/rules.css public/themes/patientportal-base.css public/themes/patientportal-register.css public/themes/patientportal-style.css public/themes/rtl_compact_style_ash_blue.css public/themes/rtl_compact_style_burgundy.css public/themes/rtl_compact_style_cadmium_yellow.css public/themes/rtl_compact_style_chocolate.css public/themes/rtl_compact_style_cobalt_blue.css public/themes/rtl_compact_style_coral.css public/themes/rtl_compact_style_dark.css public/themes/rtl_compact_style_deep_purple.css public/themes/rtl_compact_style_dune.css public/themes/rtl_compact_style_emerald.css public/themes/rtl_compact_style_forest_green.css public/themes/rtl_compact_style_light.css public/themes/rtl_compact_style_manila.css public/themes/rtl_compact_style_mauve.css public/themes/rtl_compact_style_mustard_green.css public/themes/rtl_compact_style_olive.css public/themes/rtl_compact_style_pink.css public/themes/rtl_compact_style_powder_blue.css public/themes/rtl_compact_style_red.css public/themes/rtl_compact_style_sienna.css public/themes/rtl_compact_style_solar.css public/themes/rtl_compact_style_tangerine.css public/themes/rtl_patientportal-base.css public/themes/rtl_patientportal-register.css public/themes/rtl_patientportal-style.css public/themes/rtl_style_ash_blue.css public/themes/rtl_style_burgundy.css public/themes/rtl_style_cadmium_yellow.css public/themes/rtl_style_chocolate.css public/themes/rtl_style_cobalt_blue.css public/themes/rtl_style_coral.css public/themes/rtl_style_dark.css public/themes/rtl_style_deep_purple.css public/themes/rtl_style_dune.css public/themes/rtl_style_emerald.css public/themes/rtl_style_forest_green.css public/themes/rtl_style_light.css public/themes/rtl_style_manila.css public/themes/rtl_style_mauve.css public/themes/rtl_style_mustard_green.css public/themes/rtl_style_olive.css public/themes/rtl_style_pdf.css public/themes/rtl_style_pink.css public/themes/rtl_style_powder_blue.css public/themes/rtl_style_red.css public/themes/rtl_style_sienna.css public/themes/rtl_style_solar.css public/themes/rtl_style_tangerine.css public/themes/rtl_tabs_style_compact.css public/themes/rtl_tabs_style_full.css public/themes/style_ash_blue.css public/themes/style_burgundy.css public/themes/style_cadmium_yellow.css public/themes/style_chocolate.css public/themes/style_cobalt_blue.css public/themes/style_coral.css public/themes/style_dark.css public/themes/style_deep_purple.css public/themes/style_dune.css public/themes/style_emerald.css public/themes/style_forest_green.css public/themes/style_light.css public/themes/style_manila.css public/themes/style_mauve.css public/themes/style_mustard_green.css public/themes/style_olive.css public/themes/style_pink.css public/themes/style_powder_blue.css public/themes/style_red.css public/themes/style_sienna.css public/themes/style_solar.css public/themes/style_tangerine.css public/themes/tabs_style_compact.css public/themes/tabs_style_full.css setup.php sites/default/documents/custom_menus/Custom.json sites/default/documents/onsite_portal_documents/templates/Help.tpl sql/5_0_2-to-6_0_0_upgrade.sql sql/cvx_codes.sql sql/database.sql sql/patch.sql sql_patch.php sql_upgrade.php src/Billing/BillingReport.php src/Billing/BillingUtilities.php src/Billing/Claim.php src/Billing/InvoiceSummary.php src/Billing/X125010837P.php src/Common/Auth/AuthUtils.php src/Common/Logging/EventAuditLogger.php src/Common/Session/SessionTracker.php src/Common/Session/SessionUtil.php src/Common/Twig/TwigContainer.php src/Common/Twig/TwigExtension.php src/Common/Uuid/UniqueInstallationUuid.php src/Common/Uuid/UuidRegistry.php src/Core/TwigExtension.php src/Events/Appointments/AppointmentRenderEvent.php src/Events/Appointments/AppointmentSetEvent.php src/Events/Messaging/SendSmsEvent.php src/Menu/PatientMenuEvent.php src/Menu/PatientMenuRole.php src/OeUI/OemrUI.php src/Rx/Weno/Container.php src/Rx/Weno/FacilityProperties.php src/Rx/Weno/LogDataInsert.php src/Rx/Weno/LogImportBuild.php src/Rx/Weno/LogProperties.php src/Rx/Weno/TransmitProperties.php src/Rx/Weno/wenoPharmaciesImport.php src/Services/PrescriptionService.php templates/documents/general_list.html templates/documents/general_view.html templates/insurance_companies/general_list.html templates/pharmacies/general_list.html templates/portal/base.html.twig templates/portal/header.html.twig templates/portal/home.html.twig templates/practice_settings/general_list.html templates/prescription/general_fragment.html templates/prescription/general_list.html tests/Tests/E2e/Pages/MainPage.php tests/eventdispatcher/oe-modify-patient-menu-example/README.md tests/eventdispatcher/oe-modify-patient-menu-example/composer.json tests/eventdispatcher/oe-modify-patient-menu-example/custom_patient_menu.json tests/eventdispatcher/oe-modify-patient-menu-example/openemr.bootstrap.php tests/old_unit_dir/BaseHarness.class.php version.php
Previous Patches