UI REDRESSING in openemr/openemr

Valid

Reported on

Jun 20th 2022


Description

Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks users to perform unintended actions on vulnerable website, thinking they are doing those on attacker’s website. Clickjacking, also known as a "UI redress attack".

Proof of Concept

1. Go to this URL: http://web.clickjacker.io/test?url=http:%2F%2Fdemo.openemr.io%2Fopenemr%2Finterface%2Flogin%2Flogin.php%3Fsite%3Ddefault
2. Observe that the website is getting embeded in an Iframe.
3. Observe that the headers x-frame-options and content-security-policy frame ancestors are missing.

Impact

Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.

We are processing your report and will contact the openemr team within 24 hours. 3 months ago
We have contacted a member of the openemr team and are waiting to hear back 3 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the openemr team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the openemr team. This report is now considered stale. 2 months ago
Brady Miller
2 months ago

Maintainer


Thanks for the report and looking into this. Am going to validate this (and working on a fix), however am unclear of the critical severity. What is the thought process on that and did you use a nvd calculator or some other objective measure for that?

tharunavula
2 months ago

Researcher


Hi team,

This is the cwe https://cwe.mitre.org/data/definitions/1021.html

Regards, Tharun

Brady Miller validated this vulnerability 2 months ago
tharunavula has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
2 months ago

Maintainer


A preliminary fix has been posted in commit 203243467675e85b8b479c778e44ae1aac8bad55

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 3-7 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 2 months ago
Brady Miller confirmed that a fix has been merged on 203243 a month ago
The fix bounty has been dropped
Brady Miller
a month ago

Maintainer


OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

tharunavula
a month ago

Researcher


@admin can you assign CVE and public this.

Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation