OpenEMR Eye Exam View Insecure Direct Object Reference Vulnerability

An insecure direct object reference (IDOR) vulnerability has been identified in OpenEMR versions prior to 8.0.0. The issue arises in the eye exam view, where the application loads data based on the form ID without verifying if the form belongs to the current user's patient or encounter. This flaw allows an authenticated user to access or modify any patient's eye exam by providing a different form ID. Additionally, the vulnerability can inadvertently switch the active patient in the user's session.

Impact

Exploitation of this vulnerability allows unauthorized access to and modification of any patient's eye exam data, which includes protected health information (PHI). This not only breaches patient privacy but also risks clinical integrity by potentially allowing incorrect information to be recorded or viewed. Furthermore, the vulnerability can disrupt the user's session context, leading to confusion or cross-patient actions.

Reproduction

To reproduce this vulnerability, log in as a user with access to eye exam forms. Then, obtain a form ID from another patient's eye exam, such as 'id=555'. Access the eye exam view by sending a request to 'view.php' with the stolen form ID. The response will include the other patient's eye exam, confirming the IDOR vulnerability.

Remediation

A fix for this vulnerability has been implemented and is available on the main branch of the OpenEMR GitHub repository. Users should update to the latest version.