File Upload Type Validation Error in openemr/openemr


Reported on

Oct 7th 2022


The upload functionality does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

Proof of Concept

The following request was modified to allow uploading HTML file using a valid GIF signature, but can be modified to upload any kind of content-type:

POST /openemr/controller.php?document&upload&patient_id=00&parent_id=1& HTTP/1.1
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="MAX_FILE_SIZE"

Content-Disposition: form-data; name="file[]"; filename="1111.txt"
Content-Type: text/html

Content-Disposition: form-data; name="dicom_folder[]"; filename=""
Content-Type: application/octet-stream


The security checks where implemented using the mime_content_type function, but if it pass that filter, the file content-type was always stored as-is.


This could allow an attacker to write custom pages that will be shown in the context openemr domain. Those pages can contain phising html or even JS code that will be executed in the context of the active user browser.


In that line was stored the mimetype as sent. One of the solutions could be return the mimetype returned by isWhiteFile function.

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
We have sent a second follow up to the openemr team. We will try again in 10 days. a year ago
openemr/openemr maintainer has acknowledged this report a year ago
Brady Miller validated this vulnerability a year ago
xkulio has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in with commit 2e7678 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
C_Document.class.php#L297 has been validated
Brady Miller published this vulnerability a year ago
Brady Miller
a year ago

@admin, please assign a CVE. thanks!

to join this conversation