Bypass client side restrictions leads to IDOR on creating appointment. in openemr/openemr
Dec 26th 2022
When creating an appointment, a Patient can completely bypass the client side restrictions, and not only can create an appointment in every date he wants, it can also set the duration of the appointment as long as he wants but most important of everything, he can tamper the
form_pid and create appointment for other users.
Proof of Concept
- Login as a Patient on https://demo.openemr.io/openemr/portal
- Go to the "My appointments section"
- Schedule a new appointment
- You can intercept the request right now, and tamper the result, or you can create a regular one and then temper the result on the update
- Now get the POST request to /openemr/portal/add_edit_event_user.php and tamper the data:
POST /openemr/portal/add_edit_event_user.php?eid=21 Host: demo.openemr.io form_action=save&form_title=Office+Visit&form_apptstatus=%5E&form_category=5&form_date=2022-12-26&form_hour=8&form_minute=30&form_ampm=1&form_duration=85&form_patient=Test&form_pid=5&form_provider_ae=6&form_comments=test
As you can see here, I've created an appointment on a Date of my own choice, I've set the duration of the appointment to 85 minutes, and I've set the appointment not for me, which I have ID 1 ( Phil Belford) but for the one with ID 5.
And this is the result from the Receptionist view:
A patient can create appointments for other users, and can also “cheat” on the date and duration of the appointments