Missing Function Level Access Control in openemr/openemr
Mar 28th 2022
Missing Function Level Access Control
62 vulnerable instances as listed in Table 1
Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for the OpenEMR. Non-privilege users (Accounting, Front-Office, Physician & Clinician) can directly browse to the administrator modules to compromise the confidentiality and integrity of the application. Additionally, the promiscuous privileges of user roles (Accounting, Front-Office, Physician & Clinician) allow users to access each other modules without restriction as listed in Table 1.
Disallow access to all functions in the application by default, then review the user roles matrix of the OpenEMR and apply access only to those users and other parts of the application that are permitted to use it. Don’t rely on the security by obscurity such as hiding buttons and links to functionality within the UI.
Aden Yap Chuen Zhen (firstname.lastname@example.org)
Rizan, Sheikh (email@example.com)
Ali Radzali (firstname.lastname@example.org)
Login as a user (e.g., Front Office). Choose and browse any of the URL that appear “Vulnerable” belong to user (e.g., Front Office) shown in the Error! Reference source not found.. Below are several examples of the affected instances:
Non privilege users can view privileged information containing personal records belonging to patients.