OpenEMR Access Control Vulnerability in Message List Export Prior to Version 8.0.0

A broken access control vulnerability has been identified in OpenEMR versions prior to 8.0.0. This flaw allows low-privileged users, such as receptionists, to export the entire message list, which includes sensitive patient and user information. The issue arises in the message_list.php report export feature, where sensitive database queries are executed without proper permission checks. Although there is a verification for CSRF tokens, this does not prevent unauthorized access to data if the token is obtained through other means.

Impact

Exploitation of this vulnerability allows low-privileged users to access and export sensitive patient and user data, including internal communications between healthcare providers, message statuses and updates, and metadata such as message senders, recipients, timestamps, and priorities.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a low-privileged user, such as a receptionist. Capture a valid CSRF token from the page source or a previous legitimate request. Then, send a POST request to 'interface/reports/message_list.php' with the 'form_csvexport=true' parameter, including the CSRF token and a date range. The response will include a CSV file containing sensitive message data from all users and patients.

Remediation

Users are advised to update to OpenEMR version 8.0.0 or later, where this vulnerability has been patched. For versions prior to 8.0.0, implement access control checks using OpenEMR's acl_check() function to verify user permissions before allowing access to sensitive data exports.