OpenEMR Remote Code Execution Vulnerability in oe-module-faxsms

A remote code execution vulnerability exists in OpenEMR versions prior to 7.0.4, within the oe-module-faxsms component. The issue arises in the disposeDocument() method of EtherFaxActions.php, where authenticated users can write arbitrary content to any location on the server filesystem. This flaw can be exploited by uploading malicious PHP web shells.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server with the same privileges as the web server user, typically 'apache'. This could lead to complete control over the server, access to all patient data, and potential lateral movement within the network.

Reproduction

To reproduce this vulnerability, authenticate with valid OpenEMR credentials. Once logged in, navigate to the oe-module-faxsms component. The disposeDocument() method can be called with a crafted request that includes a file path pointing to a writable location on the server, such as the web root. The request must also include base64-encoded content that, when decoded, is a malicious PHP web shell. After the shell is uploaded, it can be accessed via HTTP, allowing for command execution on the server.

Remediation

Users are advised to update OpenEMR to version 7.0.4 or later. If immediate updating is not possible, the oe-module-faxsms component can be disabled in the global configuration. Additionally, access to the module can be blocked at the firewall or through Apache .htaccess rules.