← Advisories

OpenEMR 4.1.1 (site param) Remote XSS Vulnerability

Low
Advisory ID
ZSL-2013-5129
Release Date
21 February 2013
Vendor
OpenEMR - http://www.open-emr.org
Affected Version
4.1.1
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Fedora Linux, Apache2, PHP 5.4 MySQL 5.5
Summary

OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on Windows, Linux, Mac OS X, and many other platforms.

Description

OpenEMR suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'site' GET parameter in the central 'globals.php' script which is called by every script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
openemr_xss.txtTXT
Disclosure Timeline
09.02.2013Vulnerability discovered.
14.02.2013Contact with the vendor with sent PoC file.
15.02.2013Vendor confirms the vulnerability creating a fix.
20.02.2013Vendor releases patch 4.1.1-Patch-11 to address this issue.
21.02.2013Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
[2]http://cxsecurity.com/issue/WLB-2013020153
[3]http://packetstormsecurity.com/files/120463
[4]http://www.securityfocus.com/bid/58085
[5]http://www.osvdb.org/show/osvdb/90549
[6]http://secunia.com/advisories/52145/
[7]http://xforce.iss.net/xforce/xfdb/82259
[8]http://www.open-emr.org/wiki/index.php/Security_Alert_Fixes
Changelog
21.02.2013Initial release
22.02.2013Added reference [4], [5] and [6]
23.02.2013Added reference [7]
08.10.2014Added reference [8]