OpenEMR Broken Access Control Vulnerability in Order Types Management

A broken access control vulnerability has been identified in OpenEMR versions prior to 8.0.0, within the order types management system. This vulnerability allows low-privilege users, such as receptionists, to add and modify procedure types without proper authorization. The issue arises from the lack of access control checks on the 'types_edit.php' endpoint, which is accessible to all authenticated users regardless of their privileges. Additionally, the form submissions to this endpoint were not protected against cross-site request forgery (CSRF) attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of procedure types, allowing low-privilege users to disrupt the integrity of the ordering system. This could involve creating malicious procedure types that might adversely affect patient care.

Reproduction

To reproduce this vulnerability, log into OpenEMR with a low-privilege account, such as a receptionist. Then, send a POST request to the 'types_edit.php' endpoint with the necessary parameters to add or modify a procedure type. The request will be processed without any authorization checks, and the changes will be reflected in the system. This vulnerability can also be exploited to delete procedure types by sending a similar request with the 'form_delete' parameter.

Remediation

Users are advised to update to OpenEMR version 8.0.0 or later, where this vulnerability has been patched.