Stored Cross Site Scripting in openemr/openemr

Vulnerability Type

Stored Cross Site-Scripting (XSS)

Affected URL

https://localhost/openemr-6.0.0/ /controller.php?practice_settings&document_category&action=add_node&parent_id=XX

Affected Parameter

“name”

Method POST

Authentication Required?

Yes

Issue Summary

A stored XSS vulnerability found in ” /controller.php?practice_settings&document_category&action=add_node&parent_id=XX” that allows authenticated user to inject arbitrary web script in one parameter (name). The XSS payload will be fired in the Patient’s documents list of the affected category name if any authenticated user views it.

Credits

Aden Yap Chuen Zhen (chuenzhen.yap2@baesystems.com) Rizan, Sheikh (rizan.sheikhmohdfauzi@baesystems.com) Ali Radzali
(muhammadali.radzali@baesystems.com)

Recommendation

Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.

Issue Reproduction

Login as any user that has privileges to add/edit document categories. Accounting should be able to add document categories. (Administration > Practice > Practice Settings)

Click on Add/Edit in any document categories. In this example, we going to add new sub-category in Patient category with our XSS payload. Insert the payload in Category Name and Click on save category once done.

<script>alert(document.cookie)</script>

The XSS will be fired in the patient’s documents on the sub-category that we have created before. For example, an Admin can go to any patient’s documents and click on any documents with the same parent category (Patient) of the new sub-category that we created (XSS Payload). The cookies of the admin will be pop out in alert box when click on any document (2021-10-10 payload.txt-21)