OpenEMR Arbitrary File Exfiltration Vulnerability via Fax Endpoint

A vulnerability allowing arbitrary file exfiltration has been identified in OpenEMR versions prior to 8.0.0. This issue resides in the fax sending endpoint, where authenticated users can read and send any file on the server, including database credentials, patient documents, system files, and source code, to an attacker-controlled phone number. The vulnerability arises because the endpoint accepts arbitrary file paths from user input and transmits them to the fax gateway without proper path validation or authorization checks.

Impact

Exploitation of this vulnerability allows for the unauthorized exfiltration of sensitive files via fax, including database credentials and patient documents.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the fax sending endpoint with an arbitrary file path included in the request. The fax will be sent to the specified phone number, allowing the attacker to receive the contents of the file via fax.