Missing Function Level Access Control in openemr/openemr
Reported on
Mar 28th 2022
Vulnerability Type
Missing Function Level Access Control
Affected URL
62 vulnerable instances as listed in Table 1
Authentication Required?
Yes
Issue Summary
Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for the OpenEMR. Non-privilege users (Accounting, Front-Office, Physician & Clinician) can directly browse to the administrator modules to compromise the confidentiality and integrity of the application. Additionally, the promiscuous privileges of user roles (Accounting, Front-Office, Physician & Clinician) allow users to access each other modules without restriction as listed in Table 1.
Recommendation
Disallow access to all functions in the application by default, then review the user roles matrix of the OpenEMR and apply access only to those users and other parts of the application that are permitted to use it. Don’t rely on the security by obscurity such as hiding buttons and links to functionality within the UI.
Credits
Aden Yap Chuen Zhen (chuenzhen.yap2@baesystems.com)
Rizan, Sheikh (rizan.sheikhmohdfauzi@baesystems.com)
Ali Radzali (muhammadali.radzali@baesystems.com)
Issue Reproduction
Login as a user (e.g., Front Office). Choose and browse any of the URL that appear “Vulnerable” belong to user (e.g., Front Office) shown in the Error! Reference source not found.. Below are several examples of the affected instances:
Figure 1: The Modules belong to Front Office user
Figure 2: Front Office gained unauthorised access to “Administrator -> Forms -> Forms Administrator”: http://localhost/openemr/interface/forms_admin/forms_admin.php
Figure 3: Accessed to Admin Module “Procedure -> Configuration”: http://localhost/openemr/interface/orders/types.php via window load module after tampered the endpoint using BurpSuite
Figure 4: Front Office gained unauthorised access to Accounting module “Fees -> Billing Manager”: http://localhost/openemr/interface/billing/billing_report.php
Figure 5: Front Office gained unauthorised access to Accounting module “Fees -> Payment”: http://localhost/openemr/interface/billing/billing_report.php
Table 1: Affected Instances
Impact
Non privilege users can view privileged information containing personal records belonging to patients.
Currently working on fixes for this.
A preliminary fix for this has been placed in our development codebase at https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908
The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (6.1.0.2). After we release this patch, I will then mark this item as fixed (probably in about a month).
Hi @admin, according to OpenEMR website @ https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads. The latest version for d/l is 7.0.0. Since this bug is considered fixed, can you kindly issue the CVE for this finding please? Thanks
Happy to issue a CVE if the maintainer is happy for one to be assigned and published.
@maintainer - can I proceed with a CVE for this report?
version 7.0.0 was recently released, which fixed this vulnerability. ok to proceed with CVE