Stored XSS bypass the protection rules in openemr/openemr
Reported on
Dec 22nd 2022
Description
Hi there,
Someone submitted an xss vulnerability about your project before.And please see "https://huntr.dev/bounties/f353adfb-e5b8-43e7-957a-894670fd4ccd/" for details.You submitted a fix in 7.0.0.2 with commit 4565d8.But after my tests, I found that it was still unsafe. The following is the code you used.
str_ireplace('javascript', '', $text ?? '');
We can bypass it by inserting an additional 'javascript'.
Video link
https://drive.google.com/file/d/142SE1G7F6cHfc_TZRT7XzJCLu0Y2_887/view?usp=share_link
#Steps
- Login with admin
- Go on Admin - config - Branding
- Edit User Manual Link Override Field 4.Insert the following payload
javjavascriptascript:alert(document.cookie)
5.Logout with admin
6.Login as any user and go on "About OpenEMR"
7.Click User Manual Button
Proof of Concept
javjavascriptascript:alert(document.cookie)
Impact
(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.
(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.
(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.
(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting the normal use of users.
hi @yeipunz, plan to confirm/fix this in near future (likely will just blank out the entire address if javascript is found in it to be as safe as possible). The next OpenEMR patch/release won't be going out for about another 4 weeks.
Also note I deleted the github issue you created to keep this issue private until a fix is released.
hi @Maintainer,Of course I will support your work,but the current version of your project does have vulnerabilities.So could you please verified this report,thanks.
hi @yeipunz, To clarify above where you stated " intruder can log in to the background as an administrator", it is my impression that this vulnerability is only accessible to a user that has been properly authenticated as a OpenEMR administrator. Meaning an administrator needs to properly log into OpenEMR and then set these vulnerable settings in the Config user interface. Correct?
hi @Maintainer,it's correct, you need to get the administrator permission to set it first. The key is that attackers can attack other users on our website through this vulnerability after they get the administrator permission, which really exists.
This is fixed is in master branch at https://github.com/openemr/openemr/commit/a2adac7320dfc631b1da688c3b04f54b8240fc7b
@yeipunz, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).
thanks for the report @yeipunz !
hi,@admin,@Maintainer,can you assign a cve for this bug?
The maintainer is in control of CVE assignment, they have the option after fixing & publishing. Please refrain from tagging admins for this request, thanks.
hi @Maintainer,I noticed that the vulnerability has been fixed, can you submit the corresponding fix(commit) under this reportThanks
hi Christy__ , Still same status as above post. I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 2-3 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).
hi @Maintainer , @bradymiller Almost a month has passed, but you still haven't submitted a fix for this report. Do you have any reply
hi Christy__ , As described above, we cannot use the "Mark as fixed" functionality on huntr.dev since they require a publish date. And we need to ensure that we release 7.0.1 before we can have this vulnerability published. The OpenEMR project does not have firm release dates since the community ensure that releases are secure and bug free (so, it is common that there are delays in releases). Here's a forum post on when plan to release 7.0.1: https://community.open-emr.org/t/openemr-7-1-vesion/20046 (although this thread states release is 7.1 in topic, it will actually be 7.0.1.)
hi @Maintainer , @bradymiller . it has been four months now. May I ask when the CVE for this vulnerability can be applied? I need to use it in next month's summary report. I hope you can help me. Thank you and have a pleasant time.
hi Christy__ , Sorry for the delay. We are very close to releasing 7.0.1; likely next weekend (4/22 or 4/23). Can see here for ongoing release plans: https://community.open-emr.org/t/preparing-for-7-0-1-release/20135
hi @Maintainer,can you assign a cve for this report?Thank you!