OpenEMR Broken Access Control Vulnerability in EDI Log Access

A broken access control vulnerability has been identified in OpenEMR versions prior to 8.0.0, specifically within the 'edih_main.php' endpoint. This vulnerability allows any authenticated user, including those with low-privilege roles such as Receptionist, to access EDI log files. The issue arises from the back-end's failure to enforce role-based access control (RBAC), enabling sensitive system logs to be accessed outside the permission boundaries established by the application's GUI. The vulnerability can be exploited by manipulating the 'log_select' parameter in a GET request, bypassing the intended access controls.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal system logs and protected health information (PHI). This access allows attackers to gather system metadata, pivot for further attacks, such as control number spoofing, and bypass auditing controls by accessing logs without authorization.

Reproduction

To reproduce this vulnerability, log into OpenEMR with a low-privilege account, such as a Receptionist. Once logged in, send a GET request to the 'edih_main.php' endpoint, including a valid CSRF token and the name of the log file to be accessed through the 'log_select' parameter. The response will contain the requested log file, demonstrating the unauthorized access granted by the vulnerability.

Remediation

Users are advised to update to OpenEMR version 8.0.0 or later, where this vulnerability has been patched. For those using earlier versions, implement role-based access control checks at the entry point of the 'edih_main.php' file, verifying user permissions before allowing access to log files. Utilize OpenEMR's existing ACL system to ensure consistent permission management.