OpenEMR SQL Injection Vulnerability in Prescription Functionality

A SQL injection vulnerability has been identified in OpenEMR versions prior to 8.0.0, specifically within the prescription listing feature. This vulnerability allows authenticated attackers to inject malicious SQL code due to inadequate input validation. The issue arises in the 'sort' parameter, which is directly added to SQL queries without proper sanitization, enabling attackers to manipulate the SQL command and potentially access or modify database information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, including sensitive medical records, and in some cases, allow for server-side code execution.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to 'controller.php' with the 'prescription' parameter set to an empty value, the 'id' parameter set to a valid patient ID, and the 'sort' parameter injected with malicious SQL code. The lack of proper input validation in the 'prescriptions_factory' function will allow the injected SQL to be executed, demonstrating the vulnerability.

Remediation

Users can update to OpenEMR version 8.0.0 or later, where this vulnerability has been patched.