UI REDRESSING in openemr/openemr
Reported on
Jun 20th 2022
Description
Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks users to perform unintended actions on vulnerable website, thinking they are doing those on attacker’s website. Clickjacking, also known as a "UI redress attack".
Proof of Concept
1. Go to this URL: http://web.clickjacker.io/test?url=http:%2F%2Fdemo.openemr.io%2Fopenemr%2Finterface%2Flogin%2Flogin.php%3Fsite%3Ddefault
2. Observe that the website is getting embeded in an Iframe.
3. Observe that the headers x-frame-options and content-security-policy frame ancestors are missing.
Impact
Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.
Thanks for the report and looking into this. Am going to validate this (and working on a fix), however am unclear of the critical severity. What is the thought process on that and did you use a nvd calculator or some other objective measure for that?
Hi team,
This is the cwe https://cwe.mitre.org/data/definitions/1021.html
Regards, Tharun
A preliminary fix has been posted in commit 203243467675e85b8b479c778e44ae1aac8bad55
Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.
Thanks!
OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.
