New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenEMR v5_0_1_4: SQL Injection in interface/logview/logview.php #1782
Comments
|
hi @l00ph0le , Thanks for the report! Fixes are in this PR: For future specific security vulnerability reports, rec. emailing them to me at brady.g.miller@gmail.com rather than posting them publicly (and even better if email it encrypted via my public PGP key at: https://pgp.mit.edu/pks/lookup?op=get&search=0x27DEF05B1A8A6D4F). Thanks! |
|
Hi Brady, Can you post the security vulnerability contact information on your main website or in the README of the project? I would have done this had I seen it somewhere. I opened the issues based on previous issues I found in the project, I thought it was the preferred reporting method. Thank you ~Nick |
|
Just a heads up this is already covered by CVE-2014-5462 https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5462/ (pointed out to me by MITRE when I tried to assign a new CVE for this issue). Please note that there are additional SQL injection flaws you may need to fix (otherwise if you only fix part of CVE-2014-5462 we'll need to assign another CVE for the unfixed SQL injections), Thanks! |
|
hi @kurtseifried , |
|
Good project for somebody related to security: |
|
I confirmed that all above vulnerabilities in above link have been addressed, so closing this issue. |
|
@bradymiller Could you kindly point out where CVE-2014-5462 was addressed ? (in what commit) |
|
hi @NicoleG25 , |
Ah I see. so what would be the 'safest' version in your opinion where the vulnerabilities no longer existed ? |
|
hi @NicoleG25 , Definitely should use most recent production version, OpenEMR 5.0.2, since that version had lots of security fixes/update/improvements/features (the systematic codebase refactoring for 5.0.2 likely was what fixed most of the vulnerabilities in that old CVE): |
I found an application security issue in interface/logview/logview.php of OpenEMR v5_0_1_4 and likely earlier versions.
The vulnerability exists due to a lack of sanitation of user-supplied input. The vulnerability could allow remote authenticated attackers to inject SQL commands via the 'sortby' parameter.
I think the issue is being triggered by the sql query in /library/log.inc on line 217.
openemr/library/log.inc
Line 217 in a6b2403
PoC:
http://192.168.246.144/openemr-5.0.1/interface/logview/logview.php?direction=asc&sortby=1,extractvalue(0x0a,concat(0x0a,(SELECT%20@@hostname)))--&csum=&start_date=2018-07-26+00%3A00&end_date=2018-07-26+23%3A59&form_patient=Click+To+Select&form_pid=&form_user=&eventname=&type_event=&event=
The text was updated successfully, but these errors were encountered: