SB2018080813 - Multiple vulnerabilities in OpenEMR

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018080813

SB2018080813 - Multiple vulnerabilities in OpenEMR

Published: August 8, 2018

Security Bulletin ID SB2018080813
Severity
High
Patch available
YES
Number of vulnerabilities 21
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 24% Low 76%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 21 secuirty vulnerabilities.


1) Authentication bypass (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass authentication on the target system.

The weakness exists due to improper authentication. A remote attacker can navigate to the registration page, modify the requested url to access the desired page and bypass the Patient Portal Login.

2) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_appt_popup_user.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


3) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_appt_popup_user.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


4) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through Anything_simple.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


5) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through forms_admin.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


6) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through search_code.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


7) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_drug_popup.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


8) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_immunization_popup.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


9) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_code_popup.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


10) SQL-injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through de_identification_screen2.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application


11) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the application does not adequately protect sensitive information from parties that would not normally have access to it. A remote attacker can gather information which can be utilized later in the attack cycle.


12) Unrestricted upload of file with dangerous type (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to execute arbitrary commands.

The vulnerability exists due to unrestricted file upload in super/manage_site_files.php when insufficient input validation. A remote attacker can upload a PHP web shell to execute system commands with elevated privileges.


13) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in OpenEMR’s sl_eob_search.php file due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.


14) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in fax_dispatch.php due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.


15) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in faxq.php due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.


16) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in daemon_frame.php due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.


17) Cross-site request forgery (CVE-ID: N/A)

The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.

The weakness exists in uper/manage_site_files.php due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.

18) Privilege escalation (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper access controls. A remote attacker can visit http://host/ /ippf_upgrade.php. /ippf_upgrade.php, run an IPPF upgrade on a remote server. Upon visiting ippf_upgrade.php a user is prompted with a button that when pressed would begin to convert the databases to UTF8 (provided they aren’t encoded already).


19) Arbitrary file write (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in import_template.php due to arbitrary file upload. A remote attacker can make a crafted request to upload any type of file, including php, to the system and execute arbitrary code with elevated privileges.


20) Out-of-bounds read (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in import_template.php due to lack of sanitization before the user input from ​docid​ is passed to the file_get_contents() function. A remote attacker can make a crafted request to view files on the system outside the web directory, including /etc/passwd.


21) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to delete arbitrary files on the target system.

The vulnerability exists in import_template.php due to lack of sanitization of user input from the ​docid​ parameter before being passed to the unlink() function. A remote authenticated attacker can delete arbitrary files on the system.


Remediation

Install update from vendor's website.

References