Non-Privilege User Can View Patient’s Disclosures in openemr/openemr
Mar 28th 2022
Insecure Direct Object Reference
Non-privilege users (accounting, front office) can view patient’s disclosures and have the capability to add, edit and delete the patient’s disclosures. This function is not visible to non-privilege users upon viewing patient’s dashboard but a non-privilege users can directly send a GET request to the vulnerable endpoint and view it.
The OpenEMR cookie must be checked against the document parameters sent in the GET request to https://localhost/openemr-6.0.0/interface/patient_file/summary/record_disclosure.php to ensure that only cookies belonging to Admin or privileged users are allowed to view and use the features in forms administration.
Aden Yap Chuen Zhen (email@example.com)
Rizan, Sheikh (firstname.lastname@example.org)
Ali Radzali (email@example.com)
Login to EMR using admin and we can see there is Disclosures in the patient’s dashboard. Click on “Edit”.
Figure 1: Login as Administrator and View Patient’s Disclosures
Figure 2: Admin View List of Disclosures
Now, using a non-admin account, Eg Accountant user should not be able to view the patient’s disclosures.
Figure 3: Non-privilege Account Cannot View Patient’s Disclosures
Using Burp, we intercept the Admin request to edit the patient’s disclosures and swap the “OpenEMR” cookie using an Accountant cookie and we are be able to view the patient’s disclosures.
Figure 4: Burp Request Captured Using Accountant Cookie to View Forms Administration
Figure 5: Non-privilege Account Can View Patient ‘s Disclosures
The Raw Request looks like:
GET /openemr/interface/patient_file/summary/record_disclosure.php?editlid=3 HTTP/1.1 Host: 192.168.153.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.153.129/openemr/interface/main/tabs/main.php?token_main=KnYCfBmjS9pZH0KnzZ5exFXbcAxxhKUP2JZwnEFD Cookie: OpenEMR=wXLcHx6rd0afp3JGFiB%2Cps94aa3icGyGvUi0DunXZ2YcFwuo Upgrade-Insecure-Requests: 1
The non-privilege users also have the capabilities to edit, add or delete any patient’s disclosures.
Currently working on a fix for this.
A preliminary fix has been placed in the development codebase: https://github.com/openemr/openemr/commit/fcccf0100ac4ae38342fa682682a5d83b42fcb95
This fix will be included in the next 6.1.0 patch 1 (126.96.36.199) . After we release 6.1.0 patch 1, then we will confirm the fix at that time.
Patch 1 for 6.1.0 (188.8.131.52) has been released, so this fix is now official.
Dear @admin kindly issue cve for this fix. Tq