OpenEMR Message Center Access Control Bypass Vulnerability

A vulnerability exists in OpenEMR versions prior to 8.0.0, allowing authenticated users to bypass access controls in the Message Center. The issue arises because the application accepts a URL parameter 'show_all=yes' and passes it to a function that retrieves internal messages for all users. The backend fails to verify if the requesting user is an administrator before processing this parameter. Consequently, any authenticated user can access the complete internal message list by including 'show_all=yes' in the request. This vulnerability exposes sensitive communications and patient-related notes, posing a risk to HIPAA compliance.

Impact

Exploitation of this vulnerability allows non-admin users to read all internal messages, including sensitive patient-related notes and staff communications, creating a risk of unauthorized access to protected health information.

Reproduction

To reproduce this vulnerability, log in as a non-admin user and navigate to the Message Center. Either click the 'Show All' link, which is visible to all users, or manually request 'messages.php?show_all=yes'. The response will include all internal messages for every user, rather than just those assigned to the current user.

Remediation

Users can update to OpenEMR version 8.0.0 or later, where this vulnerability has been patched.