Researchers have found three separate vulnerabilities in OpenEMR, an open-source software for electronic health records and medical practice management.
Clean code experts at Sonar published an advisory Wednesday about the discovered flaws by security researcher Dennis Brinkrolf.
“During our security research of popular web applications, we discovered several code vulnerabilities in OpenEMR,” Brinkrolf wrote.
“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure.”
The security expert explained that the company’s static application security testing (SAST) engine discovered that two of these three vulnerabilities combined could lead to unauthenticated remote code execution (RCE).
“In summary, an attacker can use the reflected XSS, upload a PHP file […] and then use the path traversal via the Local File Inclusion to execute the PHP file. It takes a few tries to figure out the appropriate Unix timestamp but eventually leads to remote code execution.”
As for the third vulnerability, it allowed attackers to configure OpenEMR in a certain way in order to eventually steal user data.
“In other words, if OpenEMR is set up correctly, an unauthenticated attacker can read files like certificates, passwords, tokens, and backups from an OpenEMR instance via a rogue MySQL server,” Brinkrolf explained.
