The name of any uploaded document can be manipulated, using the “destination” parameter, to include newline characters in its name. This situation can be abused to break the execution of JS code in “Documents” section,leaving it unusable until malicious register is removed from DB.
The success exploitation of this issue could lead into a denial of service, leaving the documents section broken and not usable until the record is removed from database.
The following request was sent to upload a dummy file that included a newline caracter in the “destination” parameter:
POST /openemr/controller.php?document&upload&patient_id=00&parent_id=1& HTTP/1.1