OpenEMR Blind SQL Injection Vulnerability in Patient Search Functionality

A blind SQL injection vulnerability has been identified in OpenEMR versions prior to 8.0.0.3. The issue resides in the Patient Search feature within the file 'new_search_popup.php'. This vulnerability allows authenticated attackers to execute arbitrary SQL commands by manipulating the keys of HTTP parameters that start with 'mf_', such as 'mf_fname' and 'mf_lname'. The exploitation takes advantage of inadequate validation of column names, enabling attackers to inject SQL logic into the application's database queries.

Impact

Exploitation of this vulnerability allows authenticated users to perform blind SQL injection, with the potential to bypass search filters and access all patient records in the database. This could include extracting sensitive information such as usernames, passwords, and patient health data.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the Patient Search functionality while including HTTP parameters that start with 'mf_'. The application will process these parameters without proper validation, allowing for the injection of SQL commands that could be executed on the database.

Remediation

Users can upgrade to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.