Improper Privilege Management in openemr/openemr

Valid

Reported on

Sep 24th 2021


Description

A predefined Front desk receptionist have access to the Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function.

Proof of Concept

  • Log in with a Front desk receptionist user

  • Simply open the following URI /openemr/interface/reports/audit_log_tamper_report.php

  • The data is being displayed for the unauthorized user.

Impact

A receptionist user is able to access the Audit Log, where information can gained about the failed login attempts.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 10 months ago
TheLabda modified the report
10 months ago
TheLabda modified the report
10 months ago
We have contacted a member of the openemr team and are waiting to hear back 10 months ago
openemr/openemr maintainer
10 months ago

Maintainer


hi, thanks for the report. This issue has been fixed in OpenEMR's master branch: https://github.com/openemr/openemr/pull/4660. Plan to release a 6.0.0 patch in future with this fix (will likely release patch in several weeks).

TheLabda
10 months ago

Researcher


Hi! Thanks for the response. Can you please mark the issue described above as valid?

Thanks,

Labda

openemr/openemr maintainer validated this vulnerability 10 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Brady Miller confirmed that a fix has been merged on 9c6051 7 days ago
The fix bounty has been dropped
Brady Miller
7 days ago

Maintainer


this was fixed awhile back for the OpenEMR 6.1.0 version

to join this conversation