Vulnerabilities have been discovered recently in the popular medical records management portal, OpenEMR. These vulnerabilities if left unattended would have renowned the medical practice management application control to the attackers. Of all the bugs, the one in the Patient Portal was probably the most malicious. People use the Patient Portal to access almost all of their medical data making it highly essential for them. OpenEMR has patched most of these bugs in time.

Bugs in the system

The cross-site scripting flaw in the Patient Portal allowed the researchers to gain unauthorized command execution on the OpenEMR servers. Insecure API permissions made unauthenticated access to the portal. 

This made the injection of malevolent JavaScript payload possible in case of disabled registration of any new patient. This could lead to the attacker gaining complete control over the server. Besides this, an SQL Injection vulnerability was also found by the researchers that could potentially steal patient data. These flaws are mentioned below in greater detail.

Command Injection Flaw

A command injection flaw was found in a feature of the system that created backups. Backtick characters were materialized in the shell command as:

echo “DELETE FROM layout_options WHERE form_id = ‘`touch sonarsource.txt;`’;” >> /tmp/export;

This happened due to a malicious payload in the system, viz.

?form_sel_layouts[]=`touch sonarsource.txt;`

The echo shell command enabled the attackers in executing subcommands in Linux by using certain characters like backticks in the echo shell command. 

The API Permissions

Registering new users in the system saw the issue of insecure API permissions. The attackers could potentially use the fact that the session variable isn’t destroyed at the end of the file. How this could be done is given by: 

  • The attacker could create the first HTTP request to register. PHP will create a session & set its variable $_SESSION[‘register’] to true.
  • Now since $ignoreAuth is set to true, the attacker can gain easy access to the dispatcher by surpassing authentication & not finishing the registration process.

This would allow the attacker to easily exploit the data in some time. Once the user logs in to their respective account, the attacker could benefit from it. The vulnerability would allow the attacker to modify or extract the patient’s data as per their will. 

Also read,

Cross-site Scripting

The attackers could use cross-site scripting (XSS) to exploit data from the system. All they had to do was to inject malicious XSS payload in any administrator account’s last name. Where the last names contain <script> tags, and an attacker could gain access to the victim’s browser as the malicious JavaScript code would get executed.

Whenever the user changes the password, the payload will be presented to the front end after being read by the user’s database. The corrupt username would then pave way for a malevolent HTML code. This would reach a response page via the user’s browser. 

The Final Word

It was on the 24th of February 2020, four flaws were reported in the OpenEMR To remedy these vulnerabilities, the company soon released a patch by the end of April.

SonarSource was appreciated by OpenEMR for disclosing these vulnerabilities & helping them improve application security

They also mentioned that OpenEMR being an open-source product is well-positioned, especially considering that no software is free of vulnerabilities today.  OpenEMR is used worldwide by a large number of people. By patching the bug in due time they have sent across a powerful statement to the Populus.