OpenEMR is a web application software written using PHP programming to create a hospital information management system. When the software is downloaded through Github or SourceForge, the source code will be included, and you will be able to run the software on your server.
As a result of our research, we detected Stored Cross-Site Scripting (XSS) vulnerability POST requests in /interface/new/new_comprehensive_save.php.
What is Cross-Site Scripting (XSS) Vulnerability?
Cross-site scripting (XSS) vulnerability is a security flaw that allows an attacker to inject malicious code into a web page, resulting in the execution of the code by unsuspecting users who visit the page. The malicious code can be used to steal user data, such as login credentials, or to execute arbitrary actions on behalf of the user.
How Did We Detect OpenEMR Hospital Information Management System Stored Cross-Site Scripting (XSS) Vulnerability?
As the Security For Everyone team, we regularly look for vulnerabilities in the software we have chosen to find 0-day. One of the software we chose was the OpenEMR Hospital Information Management System web application, which serves hospitals. After deciding on the application that we are going to look for vulnerability, we performed the following steps in order:
We decided to manually examine the source codes of the application downloaded from SourceForge after seeing that it was concerned with automatic source code analysis tools that produced too many false positives.
As a result of our static and dynamic analyses on the source code, we detected Stored XSS vulnerability "form_fname" and "form_lname" parameters in POST requests sent to the "/interface/new/new_comprehensive_save.php" page.
Using the Stored XSS vulnerability we detected, we can takeover another user account.
Finally, we applied to MITRE and got our CVE code.
How to prevent Cross-Site Scripting (XSS) Vulnerability?
There are several ways you can prevent XSS vulnerabilities in your web applications:
- Use a web application firewall (WAF)
- Input validation
- Output encoding/escaping
- Contextual output encoding/escaping
- Content Security Policy (CSP)
- Keep all systems and software up-to-date
- Use HttpOnly and Secure flags to prevent cookies from being stolen
Sources
control security posture