Missing Function Level Access Control in openemr/openemr

Valid

Reported on

Mar 28th 2022


Vulnerability Type

Missing Function Level Access Control

Affected URL

62 vulnerable instances as listed in Table 1

Authentication Required?

Yes

Issue Summary

Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for the OpenEMR. Non-privilege users (Accounting, Front-Office, Physician & Clinician) can directly browse to the administrator modules to compromise the confidentiality and integrity of the application. Additionally, the promiscuous privileges of user roles (Accounting, Front-Office, Physician & Clinician) allow users to access each other modules without restriction as listed in Table 1.

Recommendation

Disallow access to all functions in the application by default, then review the user roles matrix of the OpenEMR and apply access only to those users and other parts of the application that are permitted to use it. Don’t rely on the security by obscurity such as hiding buttons and links to functionality within the UI.

Credits

Aden Yap Chuen Zhen (chuenzhen.yap2@baesystems.com)

Rizan, Sheikh (rizan.sheikhmohdfauzi@baesystems.com)

Ali Radzali (muhammadali.radzali@baesystems.com)

Issue Reproduction

Login as a user (e.g., Front Office). Choose and browse any of the URL that appear “Vulnerable” belong to user (e.g., Front Office) shown in the Error! Reference source not found.. Below are several examples of the affected instances:

1.png Figure 1: The Modules belong to Front Office user

2.png Figure 2: Front Office gained unauthorised access to “Administrator -> Forms -> Forms Administrator”: http://localhost/openemr/interface/forms_admin/forms_admin.php

3.png Figure 3: Accessed to Admin Module “Procedure -> Configuration”: http://localhost/openemr/interface/orders/types.php via window load module after tampered the endpoint using BurpSuite

4.png Figure 4: Front Office gained unauthorised access to Accounting module “Fees -> Billing Manager”: http://localhost/openemr/interface/billing/billing_report.php

5.png Figure 5: Front Office gained unauthorised access to Accounting module “Fees -> Payment”: http://localhost/openemr/interface/billing/billing_report.php

table-1.png table-2.png table-3.png Table 1: Affected Instances

Impact

Non privilege users can view privileged information containing personal records belonging to patients.

We are processing your report and will contact the openemr team within 24 hours. 4 months ago
r00t.pgp modified the report
4 months ago
We have contacted a member of the openemr team and are waiting to hear back 4 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 4 months ago
r00t.pgp modified the report
4 months ago
We have sent a second follow up to the openemr team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the openemr team. This report is now considered stale. 4 months ago
openemr/openemr maintainer validated this vulnerability 4 months ago

Currently working on fixes for this.

r00t.pgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the openemr team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 3 months ago
openemr/openemr maintainer
3 months ago

A preliminary fix for this has been placed in our development codebase at https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908

The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (6.1.0.2). After we release this patch, I will then mark this item as fixed (probably in about a month).

We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 3 months ago
r00t.pgp
14 days ago

Researcher


Hi @admin, according to OpenEMR website @ https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads. The latest version for d/l is 7.0.0. Since this bug is considered fixed, can you kindly issue the CVE for this finding please? Thanks

Jamie Slome
14 days ago

Admin


Happy to issue a CVE if the maintainer is happy for one to be assigned and published.

@maintainer - can I proceed with a CVE for this report?

openemr/openemr maintainer confirmed that a fix has been merged on 871ae5 14 days ago
The fix bounty has been dropped
openemr/openemr maintainer
14 days ago

version 7.0.0 was recently released, which fixed this vulnerability. ok to proceed with CVE

Jamie Slome
14 days ago

Admin


Sorted 👍

to join this conversation