OpenEMR is a medical practice management software which also supports Electronic Medical Records (EMR). It is ONC Complete Ambulatory EHR certified and features fully integrated electronic medical records, practice management for a medical practice, scheduling, and electronic billing.
The server side is written in PHP and can be employed in conjunction with a LAMP "stack", though any operating system with PHP support is supported.
OpenEMR is free and open-source software subject to the terms of the GNU General Public License (GPL). It is actively localized and internationalized in multiple languages, and free support is available in online forums around the world.
What is IDOR Vulnerability?
When a website is visited, the contents in applications are accessed through objects. These objects are also used to define important components such as accessing database, files and directories. Attackers can imitate or manipulate object values owned by another user. In this way, they obtain the identity information of the targeted person on the application.
An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas.
The vulnerability has found POST request to /interface/modules/zend_modules/public/Installer/register with "st", "mod_title", "mod_name", "mod_method", "mtype" parameters and POST request to /interface/modules/zend_modules/public/Installer/manage with "modId", "modAction", "mod_enc_menu", "mod_nick_name" parameters.
How Did We Detect OpenEMR Hospital Management System 6.0.0 IDOR(Insecure Direct Object Reference) Vulnerability?
As the Security For Everyone team, we regularly look for vulnerabilities in software we have chosen to find 0-days. One of the software we chose was the OpenEMR Hospital Management System 6.0.0, which is a medical practice management software. After deciding on the application to look for vulnerability, we performed the following steps in order:
We decided to manually examine the source codes of the application downloaded from SourceForge after we saw that examining it with automatic source code analysis tools produced too many false positives.
As a result of our static and dynamic analyses on the source code, we detected an IDOR(Insecure Direct of Reference) vulnerability in POST request to /interface/modules/zend_modules/public/Installer/register with "st", "mod_title", "mod_name", "mod_method", "mtype" parameters and POST request to /interface/modules/zend_modules/public/Installer/manage with "modId", "modAction", "mod_enc_menu", "mod_nick_name" parameters.
When we triggered the vulnerability, we discovered that we could make changes to the modules on the system.
Finally, we applied to Mitre and got our CVE code.
Sources
control security posture