DOM-based Cross-Site Scripting (XSS) in OpenEMR 7.0.0 and below at White list files in openemr/openemr

Valid

Reported on

Jul 22nd 2022


Description

We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 (latest version) and below version; Open Source electronic health records and medical practice management application; has DOM-based Cross-Site Scripting (XSS) vulnerability in the add-manually-input field on white list file page that never been reported before (We've checked from CVE Official website).

Vulnerability Type

DOM-based Cross-Site Scripting (XSS)

Affected Page/URL

https://<openemrurl>/interface/super/manage_site_files.php

Sample XSS Payload

"><script>alert(`CVE_Hunting`)</script>

Vulnerable Source Code

/var/www/localhost/htdocs/openemr/interface/super/manage_site_files.php (Please see more details in the occurrences section)

Implication

Client-side scripts are used extensively by modern web applications. They perform from simple functions (such as the formatting of text) up to full manipulation of client-side data and Operating System interaction.

Unlike traditional Cross-Site Scripting (XSS), where the client is able to inject scripts into a request and have the server return the script to the client, DOM XSS does not require that a request be sent to the server and may be abused entirely within the loaded page.

This occurs when elements of the DOM (known as the sources) are able to be manipulated to contain untrusted data, which the client-side scripts (known as the sinks) use or execute an unsafe way.

Scanner has discovered that by inserting an HTML element into the page's DOM inputs (sources), it was possible to then have the HTML element rendered as part of the page by the sink.

Recommendation

Client-side document rewriting, redirection, or other sensitive action, using untrusted data, should be avoided wherever possible, as these may not be inspected by server side filtering.

To remedy DOM XSS vulnerabilities where these sensitive document actions must be used, it is essential to

  • Ensure any untrusted data is treated as text, as opposed to being interpreted as code or mark-up within the page.
  • Escape untrusted data prior to being used within the page. Escaping methods will vary depending on where the untrusted data is being used. (See references for details.)
  • Use document.createElement, element.setAttribute, element.appendChild, etc. to build dynamic interfaces as opposed to HTML rendering methods such as document.write, document.writeIn, element.innerHTML, or element.outerHTMLetc.

Discoverer/Reporters

  • Ammarit Thongthua, Rattapon Jitprajong and Nattakit Intarasorn from Secure D Center Research Team

Example PoC Screenshots

OpenEMR Version 6.1.0

CVEHunting-Open-EMR-6-1-0-version.png

OpenEMR Version 7.0.0

Screen-Shot-2022-07-20-at-3-18-07-PM.png

Admin > System > Files

Screen-Shot-2022-07-22-at-9-37-26-AM.png

At the White list we Injected malicious JavaScript Payload in to {add-manually-input} with Sample XSS Payload

"><script>alert(`CVE_Hunting`)</script>

Screen-Shot-2022-07-22-at-9-40-03-AM.png

Renderred Malicious JavaScript (XSS)

Screen-Shot-2022-07-22-at-9-40-38-AM.png

Impact

DOM-based vulnerabilities arise when a website contains JavaScript that takes an attacker-controllable value, known as a source, and passes it into a dangerous function, known as a sink.

Occurrences

        $('#add-manually').on('click', function () {
            var new_type = $("#add-manually-input").val();
            if(new_type.length < 1)return;
            $('#white-list').prepend("<option value="+new_type+">"+new_type+"</option>")
        })
We are processing your report and will contact the openemr team within 24 hours. 2 months ago
JohnNattakit modified the report
2 months ago
We have contacted a member of the openemr team and are waiting to hear back 2 months ago
Brady Miller validated this vulnerability 2 months ago

Thanks for the report. We are working on a fix.

JohnNattakit has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 months ago
Brady Miller
2 months ago

Maintainer


A preliminary fix has been posted in commit 74d21039aec641b2c406e3baf238ae4602a968b6

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

We have sent a second fix follow up to the openemr team. We will try again in 10 days. 2 months ago
JohnNattakit
2 months ago

Researcher


Dear @Brady Miller, @admin

Hope you are doing well. We have got the notification email that the 1st patch for OpenEMR 7.0.0 has been released.

Can the CVE be assigned to this issue?

Screen-Shot-2022-08-08-at-9-48-42-AM.png

Jamie Slome
a month ago

Admin


Just waiting on the go-ahead from the maintainer, then I can arrange and publish the CVE 👍

Brady Miller confirmed that a fix has been merged on 74d210 a month ago
The fix bounty has been dropped
Brady Miller
a month ago

Maintainer


OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

JohnNattakit
a month ago

Researcher


Dear @Admin, @Jamie Slome Could you please help to assign the CVE for this finding please? Thanks and appreciate for your help 👍

@Brady Miller Thanks for your response 👍

Jamie Slome
a month ago

Admin


CVE assigned and will be automatically published in the next couple of hours 👍 ♥️

JohnNattakit
a month ago

Researcher


@Jamie Slome Appreciate for your contribution 👍♥️

to join this conversation