OpenEMR Authorization Bypass Vulnerability in Patient Portal Signature Endpoint Allowing Signature Forgery

An authorization bypass vulnerability has been identified in OpenEMR versions prior to 8.0.0, specifically within the patient portal signature endpoint. This vulnerability allows authenticated portal users to upload and overwrite provider signatures by manipulating the request to include 'type=admin-signature' and any provider user ID. The lack of proper authorization checks enables potential signature forgery on medical documents, leading to legal compliance violations and fraud. The issue arises from portal users being granted the ability to alter provider signatures without adequate authorization verification.

Impact

Exploitation of this vulnerability could result in unauthorized modification of provider signatures, allowing forgeries to be created on medical documents. This could lead to legal compliance issues and fraudulent activities.

Reproduction

To reproduce this vulnerability, log into the OpenEMR patient portal as a patient with a valid account. Once logged in, send a POST request to the signature endpoint ('portal/sign/lib/save-signature.php') with 'type=admin-signature' and a specified provider user ID. The request should include the session cookie to authenticate the portal user. After the request is processed, the provider's signature will be overwritten with the uploaded data, which can be verified by checking the database or generating a document that uses the provider's signature.

Remediation

Users can update to OpenEMR version 8.0.0 or later, where this vulnerability has been patched.