OpenEMR Out-of-Band Server-Side Request Forgery Vulnerability

A high-severity out-of-band server-side request forgery (SSRF) vulnerability has been identified in OpenEMR versions prior to 7.0.3.1. This vulnerability allows an attacker to manipulate the server into making unauthorized requests to external or internal resources. The exploitation of this vulnerability does not yield a direct response but can be leveraged through DNS or HTTP interactions to exfiltrate sensitive information.

Impact

Exploitation of this vulnerability allows for internal port scanning and unauthorized access to internal resources.

Reproduction

To reproduce this vulnerability, log into OpenEMR and navigate to 'Misc' > 'Dicom Viewer'. Once there, import a file and select the 'Url' option. This parameter can be used to test for SSRF by pasting a link that points to a Burp Collaborator payload. After submitting, the response will indicate that the SSRF vulnerability has been successfully exploited.

Remediation

Users can update to OpenEMR version 7.0.3.1 or later to address this vulnerability.