OpenEMR SQL Injection Vulnerability in Patient REST API Endpoint

A SQL injection vulnerability has been identified in the Patient REST API endpoint of OpenEMR, prior to version 8.0.0. This vulnerability allows authenticated users with API access to execute arbitrary SQL queries through the '_sort' parameter. The issue arises because user-supplied sort field names are incorporated into ORDER BY clauses without adequate validation or escaping, potentially leading to unauthorized database access, exposure of Protected Health Information (PHI), and compromise of user credentials.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to execute arbitrary SQL queries. This could result in unauthorized access to the database, extraction of sensitive information such as PHI, and compromise of user credentials.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/patient' endpoint with a malicious '_sort' parameter that includes SQL injection payloads, such as a subquery that uses SQL functions like SLEEP(). Include a valid OAuth2 bearer token in the Authorization header.

Remediation

Users can update to OpenEMR version 8.0.0 or later, where this vulnerability has been patched.