OpenEMR SQL Injection Vulnerability in Immunization Module Allowing Database Compromise and Potential Remote Code Execution

A SQL injection vulnerability has been identified in the Immunization module of OpenEMR, prior to version 8.0.0. This vulnerability allows authenticated users to execute arbitrary SQL queries, leading to complete database compromise, exfiltration of protected health information (PHI), theft of credentials, and potentially remote code execution. The issue arises because user-supplied 'patient_id' values are directly concatenated into SQL WHERE clauses without proper parameterization or escaping.

Impact

Exploitation of this vulnerability allows for SQL injection, which can lead to unauthorized data access, data manipulation, and in some cases, remote code execution, depending on the database user's privileges.

Reproduction

To reproduce this vulnerability, log into OpenEMR as an authenticated user with access to the Immunization module. Then, send a POST request to the Immunization controller endpoint with a malicious 'patient_id' parameter that exploits the SQL injection vulnerability. The injected SQL payload can be crafted to, for example, bypass authentication, access sensitive data, or execute arbitrary SQL commands that could lead to a database compromise.

Remediation

Users are advised to update OpenEMR to version 8.0.0 or later, where this vulnerability has been patched.