Improper authorization - receptionist can read all secure messaging in openemr/openemr
Apr 23rd 2022
Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code.
Proof of Concept
- Install openemr in your system and create an admin account and a receptionist account
- Use admin account and create a secure message by go to Portal > Portal Mail
- Log in as receptionist and go to Portal > Portal Mail, you can see that you see no secure message; the request body for portal mail looks like
Replace this with
owner=admin and you can view all messages by
Allow receptionist to read all messages.
A preliminary fix for this has been placed in our development codebase at following 2 commits: https://github.com/openemr/openemr/commit/81ffc7288b0b9a38e05bd78c9d6a52dd643ee92d https://github.com/openemr/openemr/commit/96b1684a02d43a8c943cfe3e8c7caba51d36dbfb
The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (126.96.36.199). After we release this patch, I will then mark this item as fixed (probably in about a month).
This fix was included in OpenEMR version 7.0.0, which was recently released.