Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrR00tpgp8A4D54E2-E1CD-47C3-9304-AC8BE87C80F1
HistoryMar 28, 2022 - 6:21 a.m.

Missing Function Level Access Control

2022-03-2806:21:22
r00tpgp
www.huntr.dev
15
openemr
access control
user roles
vulnerable instances
confidentiality

EPSS

0.002

Percentile

64.9%

JSON

Vulnerability Type

Missing Function Level Access Control

Affected URL

62 vulnerable instances as listed in Table 1

Authentication Required?

Yes

Issue Summary

Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for the OpenEMR. Non-privilege users (Accounting, Front-Office, Physician & Clinician) can directly browse to the administrator modules to compromise the confidentiality and integrity of the application. Additionally, the promiscuous privileges of user roles (Accounting, Front-Office, Physician & Clinician) allow users to access each other modules without restriction as listed in Table 1.

Recommendation

Disallow access to all functions in the application by default, then review the user roles matrix of the OpenEMR and apply access only to those users and other parts of the application that are permitted to use it. Don’t rely on the security by obscurity such as hiding buttons and links to functionality within the UI.

Credits

Aden Yap Chuen Zhen ([email protected])

Rizan, Sheikh ([email protected])

Ali Radzali ([email protected])

Issue Reproduction

Login as a user (e.g., Front Office). Choose and browse any of the URL that appear “Vulnerable” belong to user (e.g., Front Office) shown in the Error! Reference source not found… Below are several examples of the affected instances:

1.png
Figure 1: The Modules belong to Front Office user

2.png
Figure 2: Front Office gained unauthorised access to “Administrator -> Forms -> Forms Administrator”: http://localhost/openemr/interface/forms_admin/forms_admin.php

3.png
Figure 3: Accessed to Admin Module “Procedure -> Configuration”: http://localhost/openemr/interface/orders/types.php via window load module after tampered the endpoint using BurpSuite

4.png
Figure 4: Front Office gained unauthorised access to Accounting module “Fees -> Billing Manager”: http://localhost/openemr/interface/billing/billing_report.php

5.png
Figure 5: Front Office gained unauthorised access to Accounting module “Fees -> Payment”: http://localhost/openemr/interface/billing/billing_report.php

table-1.png
table-2.png
table-3.png
Table 1: Affected Instances

Related

osv 1
cve 1
cnvd 1
nvd 1
prion 1
cvelist 1
openvas 1
osv
osv
CVE-2022-2493
2022-07-22 04:15:13
cve
cve
CVE-2022-2493
2022-07-22 04:15:13
cnvd
cnvd
OpenEMR Access Control Error Vulnerability (CNVD-2022-54903)
2022-07-26 00:00:00
nvd
nvd
CVE-2022-2493
2022-07-22 04:15:13
prion
prion
Design/Logic Flaw
2022-07-22 04:15:00
cvelist
cvelist
CVE-2022-2493 Data Access from Outside Expected Data Manager Component in openemr/openemr
2022-07-22 03:47:17
openvas
openvas
OpenEMR < 7.0.0 Multiple Vulnerabilities
2022-07-26 00:00:00

EPSS

0.002

Percentile

64.9%

JSON
Related for 8A4D54E2-E1CD-47C3-9304-AC8BE87C80F1
osv1cve1cnvd1nvd1prion1cvelist1openvas1