Stored Cross Site-Scripting (XSS)
https://localhost/openemr-6.0.0/ /controller.php?practice_settings&document_category&action=add_node&parent_id=XX
“name”
Method POST
Yes
A stored XSS vulnerability found in ” /controller.php?practice_settings&document_category&action=add_node&parent_id=XX” that allows authenticated user to inject arbitrary web script in one parameter (name). The XSS payload will be fired in the Patient’s documents list of the affected category name if any authenticated user views it.
Aden Yap Chuen Zhen ([email protected])
Rizan, Sheikh
([email protected])
Ali Radzali
([email protected])
Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.
Login as any user that has privileges to add/edit document categories. Accounting should be able to add document categories. (Administration > Practice > Practice Settings)
Click on Add/Edit in any document categories. In this example, we going to add new sub-category in Patient category with our XSS payload. Insert the payload in Category Name and Click on save category once done.
<script>alert(document.cookie)</script>
The XSS will be fired in the patient’s documents on the sub-category that we have created before. For example, an Admin can go to any patient’s documents and click on any documents with the same parent category (Patient) of the new sub-category that we created (XSS Payload). The cookies of the admin will be pop out in alert box when click on any document (2021-10-10 payload.txt-21)