Security Research & Advisories

Unrestricted Upload of File with Dangerous Type in OpenEMR

Product OpenEMR
Affected Version(s) 5.0.0 and probably prior
Tested Version(s) 5.0.0 and 5.0.1-dev
Vulnerability Discovery May 21, 2017
Vendor Notification May 23, 2017
Advisory Publication May 23, 2017 [without technical details]
Vendor Acknowledgment May 25, 2017
Vendor Fix Not Fixed as of OpenEMR 5.0.0 patch 7
Public Disclosure March 12, 2018
Latest Modification March 12, 2018
CVE Identifier(s) CVE-2017-9380
Product Description OpenEMR is a Free and Open Source electronic health records and medical practice management application. It is ONC Certified and it features fully integrated electronic health records, practice management, scheduling, electronic billing, internationalization, free support, a vibrant community, and a whole lot more.
Credits Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Unrestricted Upload of File with Dangerous Type
Severity: High CVSS Score: 8.8 CWE-ID: CWE-434 Status: Not Fixed
Vulnerability Description
The application OpenEMR allows users to upload files of dangerous types which can result in arbitrary code execution if the system administrator has not properly restricted access to the repository hosting uploaded files has recommended by OpenEMR during installation process.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact High
Privileges Required Low Integrity Impact High
User Interaction None Availability Impact High


The OpenEMR application allows users from all roles to upload files. However, the application does not whitelist only certain type of files (e.g. PDF, JPG, PNG, DOCX, etc). At the contary, any type of files can be uploaded to the filesystem via the application.

While OpenEMR recommends during the installation to restrict access to the repository hosting uploaded files, unfortunately, such recommendations are too often ignored by users and can result in full compromise of the web server and its data. The following screenshot shows the upload of a PHP webshell:

The following screenshot shows the response from the web application indicating the upload was successful. In addition, the application provides the full path of the file we have just uploaded which eases the process on retrieving the file’s location.

Finally, we are calling the webshell and adding the following parameters to fetch the passwd file “cmd=cat+/etc/passwd”

Note: This vulnerability has not been fixed as of OpenEMR 5.0.0 patch 7.