Improper Privilege Management in openemr/openemr

Valid

Reported on

Sep 24th 2021


Description

A predefined Front desk receptionist have access to the Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function.

Proof of Concept

  • Log in with a Front desk receptionist user

  • Simply open the following URI /openemr/interface/reports/audit_log_tamper_report.php

  • The data is being displayed for the unauthorized user.

Impact

A receptionist user is able to access the Audit Log, where information can gained about the failed login attempts.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
TheLabda modified the report
2 years ago
TheLabda modified the report
2 years ago
We have contacted a member of the openemr team and are waiting to hear back 2 years ago
openemr/openemr maintainer
2 years ago

Maintainer


hi, thanks for the report. This issue has been fixed in OpenEMR's master branch: https://github.com/openemr/openemr/pull/4660. Plan to release a 6.0.0 patch in future with this fix (will likely release patch in several weeks).

TheLabda
2 years ago

Researcher


Hi! Thanks for the response. Can you please mark the issue described above as valid?

Thanks,

Labda

openemr/openemr maintainer validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Brady Miller marked this as fixed in 6.1.0 with commit 9c6051 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller
10 months ago

Maintainer


this was fixed awhile back for the OpenEMR 6.1.0 version

to join this conversation