| Vendor |
|
| Product | OpenEMR |
| Affected Version(s) | 5.0.0 and probably prior |
| Tested Version(s) | 5.0.0 and 5.0.1-dev |
| Vulnerability Discovery | May 21, 2017 |
| Vendor Notification | May 23, 2017 |
| Advisory Publication | May 23, 2017 [without technical details] |
| Vendor Acknowledgment | May 25, 2017 |
| Vendor Fix | Not fixed as of OpenEMR 5.0.0 patch 7 |
| Public Disclosure | March 12, 2018 |
| Latest Modification | March 12, 2018 |
| CVE Identifier(s) | CVE-2017-1000240 |
| Product Description | OpenEMR is a Free and Open Source electronic health records and medical practice management application. It is ONC Certified and it features fully integrated electronic health records, practice management, scheduling, electronic billing, internationalization, free support, a vibrant community, and a whole lot more. |
| Credits | Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group |
| Multiple Reflected & Stored Cross-Site Scripting (XSS) Vulnerabilities | |||
| Severity: Medium | CVSS Score: 5.4 | CWE-ID: CWE-79 | Status: Not Fixed |
| Vulnerability Description | |||
| The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | Low | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
The OpenEMR has multiple Cross-Site Scripting vulnerabilities due to the lack of input validation and output encoding.
The value of the document_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload wizlynx"></script><script>alert("wizlynx says XSS!")</script>group was submitted in the document_id parameter. This input was echoed unmodified and non-encoded in the application's response resulting in a XSS vulnerability.
/openemr/controller.php?document=&update=&patient_id=3&document_id=wizlynx%22%3E%3Cscript%3Ealert%28%22wizlynx%20says%20XSS!%22%29%3C/script%3Egroup&process=true&docname=test.php&docdate=2017-05-20&issue_id=0
The following screenshot shows the JavaScript being executed on the client side:
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
When adding a note to an existing attachment, it is possible to abuse the “note” parameter to inject a malicious JavaScript. This is possible because of the lack of input validation and output encoding, and results in a stored XSS vulnerability. The following screenshot shows the request and response:
The following screenshot shows the server’s response displayed in the browser
/openemr/controller.php?document=&view&patient_id=wizlynx%22%3E%3Cscript%3Ealert%2825%29%3C/script%3Egroup&doc_id=2&
/openemr/interface/patient_file/summary/pnotes_full.php?docid=0&orderid=0&mode=new&trigger=add&offset=0ei5hz"><script>alert(1)<%2fscript> spz31peeulo&form_active=1&form_inactive=1¬eid=&form_doc_only=1&form_note_type=Insurance&assigned_to=Yann¬e=sdfawefa
Note: all Cross-Site Scripting vulnerabilities have not been fixed as of OpenEMR 5.0.0 patch 7.