|Affected Version(s)||5.0.0 and probably prior|
|Tested Version(s)||5.0.0 and 5.0.1-dev|
|Vulnerability Discovery||May 21, 2017|
|Vendor Notification||May 23, 2017|
|Advisory Publication||May 23, 2017 [without technical details]|
|Vendor Acknowledgment||May 25, 2017|
|Vendor Fix||Not Fixed as of OpenEMR 5.0.0 patch 7|
|Public Disclosure||March 12, 2018|
|Latest Modification||March 12, 2018|
|Product Description||OpenEMR is a Free and Open Source electronic health records and medical practice management application. It is ONC Certified and it features fully integrated electronic health records, practice management, scheduling, electronic billing, internationalization, free support, a vibrant community, and a whole lot more.|
|Credits||Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group|
|Unrestricted Upload of File with Dangerous Type|
|Severity: High||CVSS Score: 8.8||CWE-ID: CWE-434||Status: Not Fixed|
|The application OpenEMR allows users to upload files of dangerous types which can result in arbitrary code execution if the system administrator has not properly restricted access to the repository hosting uploaded files has recommended by OpenEMR during installation process.|
|CVSS Base Score|
|Attack Complexity||Low||Confidentiality Impact||High|
|Privileges Required||Low||Integrity Impact||High|
|User Interaction||None||Availability Impact||High|
The OpenEMR application allows users from all roles to upload files. However, the application does not whitelist only certain type of files (e.g. PDF, JPG, PNG, DOCX, etc). At the contary, any type of files can be uploaded to the filesystem via the application.
While OpenEMR recommends during the installation to restrict access to the repository hosting uploaded files, unfortunately, such recommendations are too often ignored by users and can result in full compromise of the web server and its data. The following screenshot shows the upload of a PHP webshell:
The following screenshot shows the response from the web application indicating the upload was successful. In addition, the application provides the full path of the file we have just uploaded which eases the process on retrieving the file’s location.
Finally, we are calling the webshell and adding the following parameters to fetch the passwd file “cmd=cat+/etc/passwd”
Note: This vulnerability has not been fixed as of OpenEMR 5.0.0 patch 7.