Improper authorization - receptionist can read all secure messaging in openemr/openemr

Valid

Reported on

Apr 23rd 2022

Description

Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code.

Proof of Concept

Install openemr in your system and create an admin account and a receptionist account
Use admin account and create a secure message by go to Portal > Portal Mail
Log in as receptionist and go to Portal > Portal Mail, you can see that you see no secure message; the request body for portal mail looks like

task=getdeleted&owner=receptionist

Replace this with owner=admin and you can view all messages by admin user.

Impact

Allow receptionist to read all messages.

We are processing your report and will contact the openemr team within 24 hours. a year ago

We have contacted a member of the openemr team and are waiting to hear back a year ago

We have sent a follow up to the openemr team. We will try again in 7 days. a year ago

We have sent a second follow up to the openemr team. We will try again in 10 days. a year ago

A openemr/openemr maintainer validated this vulnerability a year ago

justinp09010 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A openemr/openemr maintainer

commented a year ago

Maintainer

A preliminary fix for this has been placed in our development codebase at following 2 commits: https://github.com/openemr/openemr/commit/81ffc7288b0b9a38e05bd78c9d6a52dd643ee92d https://github.com/openemr/openemr/commit/96b1684a02d43a8c943cfe3e8c7caba51d36dbfb

The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (6.1.0.2). After we release this patch, I will then mark this item as fixed (probably in about a month).

We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the openemr team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the openemr team. This report is now considered stale. a year ago

A openemr/openemr maintainer marked this as fixed in 7.0.0 with commit 81ffc7 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A openemr/openemr maintainer

commented 10 months ago

Maintainer

This fix was included in OpenEMR version 7.0.0, which was recently released.

to join this conversation

We are processing your report and will contact the openemr team within 24 hours. a year ago

We have contacted a member of the openemr team and are waiting to hear back a year ago

We have sent a follow up to the openemr team. We will try again in 7 days. a year ago

We have sent a second follow up to the openemr team. We will try again in 10 days. a year ago

A openemr/openemr maintainer validated this vulnerability a year ago

justinp09010 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A openemr/openemr maintainer

commented a year ago

Maintainer

The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (6.1.0.2). After we release this patch, I will then mark this item as fixed (probably in about a month).

We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the openemr team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the openemr team. This report is now considered stale. a year ago

A openemr/openemr maintainer marked this as fixed in 7.0.0 with commit 81ffc7 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A openemr/openemr maintainer

commented 10 months ago

Maintainer

This fix was included in OpenEMR version 7.0.0, which was recently released.

to join this conversation