Title: OpenEMR 4.1.1 (site param) Remote XSS Vulnerability
Advisory ID: ZSL-2013-5129
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 21.02.2013

Summary

OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on Windows, Linux, Mac OS X, and many other platforms.

Description

OpenEMR suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'site' GET parameter in the central 'globals.php' script which is called by every script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Vendor

OpenEMR - http://www.open-emr.org

Affected Version

4.1.1

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Fedora Linux
Apache2, PHP 5.4 MySQL 5.5

Vendor Status

[09.02.2013] Vulnerability discovered.
[14.02.2013] Contact with the vendor with sent PoC file.
[15.02.2013] Vendor confirms the vulnerability creating a fix.
[20.02.2013] Vendor releases patch 4.1.1-Patch-11 to address this issue.
[21.02.2013] Coordinated public security advisory released.

PoC

openemr_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
[2] http://cxsecurity.com/issue/WLB-2013020153
[3] http://packetstormsecurity.com/files/120463
[4] http://www.securityfocus.com/bid/58085
[5] http://www.osvdb.org/show/osvdb/90549
[6] http://secunia.com/advisories/52145/
[7] http://xforce.iss.net/xforce/xfdb/82259
[8] http://www.open-emr.org/wiki/index.php/Security_Alert_Fixes

Changelog

[21.02.2013] - Initial release
[22.02.2013] - Added reference [4], [5] and [6]
[23.02.2013] - Added reference [7]
[08.10.2014] - Added reference [8]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk