OpenEMR Layout-Based Form Printable View Authorization Bypass Vulnerability

A vulnerability exists in OpenEMR versions prior to 8.0.0 within the Layout-Based Form (LBF) printable view. The issue arises because the view accepts 'formid' and 'visitid' (or 'patientid') from the request without verifying that the form is associated with the current user's authorized patient or encounter. This lack of validation allows an authenticated user with LBF access to enumerate form IDs and view or print any patient's encounter forms, potentially exposing sensitive health information.

Impact

Exploitation of this vulnerability leads to an authorization bypass, allowing any LBF form to be viewed or printed by guessing or enumerating form and visit IDs. This exposure includes protected health information (PHI) of other patients.

Reproduction

To reproduce this vulnerability, log in as a user with access to LBF forms. Then, obtain a valid 'formid' and 'visitid' for another patient, which can be done by referencing other reports or sessions. After acquiring these IDs, send a request to the LBF printable view with the stolen 'formid', 'visitid', and 'patientid'. If the response includes the content of the other patient's form, the vulnerability is confirmed.

Remediation

Users should update to OpenEMR version 8.0.0 or later, where this vulnerability has been addressed.