OpenEMR SQL Injection Vulnerability Allowing Privilege Escalation and Remote Code Execution

A SQL injection vulnerability has been identified in OpenEMR versions through 4.1.1 Patch 14. This vulnerability allows a low-privileged authenticated user to inject SQL and extract sensitive information, such as administrator password hashes, from the database. Once the attacker obtains the admin password hash, they can log in as an admin user. After gaining administrative privileges, the attacker can exploit an unrestricted file upload vulnerability to upload malicious files, such as PHP scripts, which can be executed on the server, leading to a full compromise of the application and the host system.

Impact

Successful exploitation of this vulnerability allows for SQL injection, privilege escalation, and remote code execution on the server where OpenEMR is hosted.

Reproduction

To reproduce this vulnerability, log in to OpenEMR as a low-privileged user. Once logged in, navigate to the 'new_comprehensive_save.php' page within the 'interface/new/' directory. Here, the SQL injection can be performed by injecting malicious SQL into the 'form_pubpid' parameter. This injection exploits the application's SQL query handling to extract the admin password hash from the database. After obtaining the hash, log in as the admin user. Once logged in, go to the 'manage_site_files.php' page in the 'interface/super/' directory. This page allows for arbitrary file uploads. Upload a file containing a PHP payload, which will be executed on the server, thereby achieving remote code execution.

Remediation

Users are advised to upgrade to OpenEMR version 4.1.2 or later.