Non Privilege User can Enable or Disable Registered in openemr/openemr
Mar 28th 2022
Insecure Direct Object Reference
Non-privilege users (accounting & front-office) can disable and enable Registered modules. This function is not visible to non-privilege users upon login but a non-privilege user can directly send a POST request to the vulnerable end-point to either disable or enable a module.
The openEMR cookie must be checked against the “modAction” parameter sent in the POST request to https://localhost/openemr-6.0.0/interface/modules/zend_modules/public/Installer/manage to ensure that only cookies belonging to Admin or privileged users are allowed to enable/disable registered modules.
Aden Yap Chuen Zhen (firstname.lastname@example.org)
Rizan, Sheikh (email@example.com) Ali Radzali (firstname.lastname@example.org)
An admin user is able to disable and enable registered modules:
Figure 1: Login as Admin. The Document Module is Currently Disabled.
We used Burp to capture the request of Admin POST request this end point:
Host: 192.168.0.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Origin: http://192.168.0.140 Connection: close Referer: http://192.168.0.140/openemr-6.0.0/interface/modules/zend_modules/public/Installer Cookie: OpenEMR=wa2ubMTCtCWeMvZcad%2CtgbXtvYNdGm%2CTpjZ35HztCGO1Sxd4 modId=2&modAction=enable&mod_enc_menu=&mod_nick_name=
Figure 2: Captured Request using Burp. OpenEMR cookie and modAction Parameter are tempered by Non-Privilege User.
We swap out the OpenEMR cookie with a non-privilege user such as Accountant and was still able to enable/disable modules:
Figure 3: Registered Modules as Seen using Admin account After Non-Privilege User Had Tampered it.
Noticed that the Module function is not visible using non-privilege user. However, by capturing the POST request by Admin in step no 2, we are able to determine the vulnerable end-point to send modifications to the Module function.
Figure 4: Module Function is Not Visible by Non-Privilege Users
A preliminary fix has been placed in the development codebase: https://github.com/openemr/openemr/commit/619db1d7d7bf5e6a31e7d0489c068998bc9e9327
This fix will be included in the next 6.1.0 patch 1 (188.8.131.52) . After we release 6.1.0 patch 1, then we will confirm the fix at that time.
Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq
Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq
Please do not yet make this public yet (I am assuming CVE creation will make it public). I will notify here when we release 6.1.0 patch 1 (in likely 1-2 weeks).
Sure, we will wait for your go-ahead on this one 👍
Patch 1 for 6.1.0 (184.108.40.206) has been released, so this fix is now official.
Dear @admin kindly assign cve for thix fix since patch was released. Thank you.