Lucene search

K

OpenEMR 5.0.0 Command Injection / Cross Site Scripting Vulnerabilities

๐Ÿ—“๏ธย 02 Dec 2017ย 00:00:00Reported byย Jasveer SinghTypeย 
zdt
ย zdt
๐Ÿ”—ย 0day.today๐Ÿ‘ย 37ย Views

OpenEMR 5.0.0 OS command injection and cross site scripting vulnerabilities, impacting health records and medical data security

Show more
Related
Code
ReporterTitlePublishedViews
Family
NVD
CVE-2017-16540
4 Nov 201719:29
โ€“nvd
OpenVAS
OpenEMR Database Disclosure Vulnerability
6 Nov 201700:00
โ€“openvas
OSV
CVE-2017-16540
4 Nov 201719:29
โ€“osv
Packet Storm
OpenEMR 5.0.0 Command Injection / Cross Site Scripting
4 Dec 201700:00
โ€“packetstorm
Exploit DB
OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting
7 Dec 201700:00
โ€“exploitdb
exploitpack
OpenEMR 5.0.0 - OS Command Injection Cross-Site Scripting
7 Dec 201700:00
โ€“exploitpack
Prion
Code injection
4 Nov 201719:29
โ€“prion
Cvelist
CVE-2017-16540
4 Nov 201719:00
โ€“cvelist
CVE
CVE-2017-16540
4 Nov 201719:29
โ€“cve
Project Description

The โ€œOpenEMRโ€ software is vulnerable to OS command injection which allows an attacker to compromise the server hosting the affected software. Furthermore, reflected cross site scripting vulnerabilities exist as well.
Vendor description

โ€œOpenEMR is the most popular open source electronic health records and medical practice management solution. ONC certified with international usage, OpenEMRโ€™s goal is a superior alternative to its proprietary counterparts.โ€

Source: http://www.open-emr.org/
Business recommendation

By exploiting the vulnerability documented in this advisory, an attacker can fully compromise the web server which has OpenEMR installed. Potentially sensitive health care and medical data might get exposed through this attack.

SEC Consult recommends not to attach OpenEMR to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that OpenEMR is affected by further critical security issues.
Vulnerability overview/description
1. OS Command Injection

Any OS commands can be injected by an authenticated attacker with any role. This is a serious vulnerability as the chance for the system to be fully compromised is very high.
2. Reflected Cross Site Scripting

This vulnerability allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. There are different issues affecting various components. The flash component has not been fixed yet as OpenEMR is looking for a replacement component.
Proof of concept
1. OS Command Injection

Below is the detail of a HTTP request that needs to be sent to execute arbitrary OS commands through โ€œfax_dispatch.phpโ€.

URL : http://$DOMAIN/interface/fax/fax_dispatch.php?scan=x
METHOD : POST
PAYLOAD : form_save=1&form_cb_copy=1&form_cb_copy_type=1&form_images[]=x&form_
filename='||<os-commands-here>||'&form_pid=1
2. Reflected Cross Site Scripting

The following URL parameters have been identified to be vulnerable against reflected cross site scripting:

The following payload shows a simple alert message box:
a)
URL : http://$DOMAIN/library/openflashchart/open-flash-chart.swf
METHOD : GET
PAYLOAD : [PoC removed as no fix is available]

b)
URL : http://$DOMAIN/library/custom_template/ckeditor/_samples/assets/_posteddata.php
METHOD : POST
PAYLOAD : <script>alert('xss');</script>=SENDF
Vulnerable / tested versions

OpenEMR version 5.0.0 has been tested. This version was the latest at the time the security vulnerability was discovered.
Vendor contact timeline

2017-03-08: Contacting vendor through email.
2017-03-08: Vendor replied with his public key. Advisory sent through secure channel.
2017-03-17: Asked for a status update from the vendor.
2017-03-17: Vendor confirms the vulnerabilities and working on the fixes.
2017-03-31: Asked for a status update from the vendor.
2017-03-31: Vendor informed that they have fixed OS Command Injection and are currently working on fixes for Reflected Cross Site Scripting.
2017-04-16: Vendor publishes Patch 2 which fixes command injection & XSS issue 2b)
2017-04-25: Vendor requesting extension for deadline of 32 days from the latest possible release date.
2017-05-25: Asked for a status update from the vendor.
2017-05-29: Vendor informed that they are working on the fixes.
2017-06-06: Asked for a status update from the vendor.
2017-06-12: Vendor informed that they added solution into the development codebase.
2017-07-05: Asked for a status update from the vendor.
2017-07-10: Vendor informed patch is delayed due to another critical bug fixes.
2017-08-17: Asked for a status update from the vendor. No reply.
2017-08-24: Asked for a status update from the vendor.
2017-08-29: Vendor informed patch will be out soon.
2017-08-30: Asked vendor for specific release date for patch. No reply.
2017-09-08: Asked for a status update from the vendor. No reply.
2017-09-14: Asked for a status update from the vendor.
2017-09-18: Vendor informed that they are testing their patch. No estimation yet on the patch release date.
2017-10-17: Asked for a status update from the vendor. No reply.
2017-10-30: Asked for a status update from the vendor.
2017-10-31: Vendor informed that the patch will be released as soon as possible.
2017-11-15: Asked for a status update from the vendor.
2017-11-21: Vendor informed that they are working on other vulnerabilities
2017-11-30: Public release of SEC Consult advisory.
Solution

The vendor has fixed the code execution issue and XSS 2b) in GIT in March 2017:
https://github.com/openemr/openemr/commit/ee0945a30dbb17ceee82b9b553d7dcb177710ca8#diff-1fdae02fadfcbc6147352cdc7c63279a
The fix has been incorporated in 5.0.0 Patch 2 or higher. The XSS example 2a (flash) is not yet fixed.

Because of critical security issues (CVE-2017-16540) of other security researchers it is highly recommended to upgrade to at least version 5.0.0 Patch 6 immediately.

http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

#  0day.today [2018-04-09]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
02 Dec 2017 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.002
37
.json
Report