OpenEMR Session Timeout Bypass Vulnerability

A vulnerability in OpenEMR prior to version 8.0.0 allows users to bypass session expiration checks, leading to insufficient session management. The issue arises in the 'library/auth.inc.php' file, where the session expiration verification is skipped if the 'skip_timeout_reset' parameter is present in the request. This oversight enables expired sessions to remain active indefinitely, allowing access to protected data and violating session timeout policies, which are crucial for maintaining security and compliance with regulations such as HIPAA.

Impact

Exploitation of this vulnerability allows for indefinite session persistence, bypassing normal timeout procedures. This could lead to unauthorized access to sensitive health information, as expired sessions are not properly terminated. Additionally, the vulnerability could be exploited to extend access for an attacker with a stolen session cookie.

Reproduction

To reproduce this vulnerability, log into OpenEMR and allow the session to expire by not interacting with the application for the duration of the session timeout period. Once the session has expired, attempt to access a protected page without the 'skip_timeout_reset' parameter. The expected behavior is to be redirected to the login page or receive a 'session expired' message, indicating that the expiration check has been properly enforced. After verifying the timeout behavior, repeat the process by including the 'skip_timeout_reset=1' parameter in the request. This time, the session will remain active, and the protected content will be accessible, demonstrating the successful bypass of the session expiration check.

Remediation

Users are advised to update OpenEMR to version 8.0.0 or later, where this vulnerability has been addressed.