OpenEMR is the most popular open source software for electronic health record and medical practice management. It is used world-wide to manage sensitive patient data, including information about medications, laboratory values, and diseases. Patients use OpenEMR to schedule appointments, communicate with physicians, and pay online invoices. Specifically in these tumultuous times of an ongoing pandemic, this is highly sensitive data that needs protection.
During our security research of popular web applications, we discovered several critical code vulnerabilities in OpenEMR 188.8.131.52:
- Command Injection (admin privileges)
- Persistent XSS (admin privileges)
- Insecure API permissions (unauthenticated)
- SQL Injection (user privileges)
A combination of these vulnerabilities allowed remote attackers to execute arbitrary system commands on any OpenEMR server that uses the Patient Portal component. This can lead to the compromise of sensitive patient data, or worse, to a compromise of critical infrastructure. We reported all issues responsibly to the affected vendor who rated the fixes as critical and released a security patch in August immediately to protect all users.
We have published a blog post with a technical root cause analysis of three code vulnerabilities, how these could be chained by an attacker during exploitation (including a video), and how the vulnerable code was patched.