OpenEMR Insecure Direct Object Reference Vulnerability in Fee Sheet Product Save Logic

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in OpenEMR versions prior to 8.0.0.3. This vulnerability exists in the fee sheet product save logic within the file 'library/FeeSheet.class.php'. It allows any authenticated user with fee sheet ACL access to delete, modify, or read 'drug_sales' records of any patient by manipulating the hidden 'prod[][sale_id]' form field. The 'save()' method processes the user-supplied 'sale_id' without verifying if the record belongs to the current patient and encounter, leading to unauthorized access and modification of patient records.

Impact

Exploitation of this vulnerability allows authenticated users with fee sheet access to delete or modify drug sales records of other patients, disrupt inventory counts, and evade audit trails by misrepresenting patient IDs.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a user with fee sheet ACL access. Create two patients, each with an encounter. Open the fee sheet for Patient B, add a product line item, and save it. Note the 'sale_id' assigned to this record. Then, open Patient A's encounter and navigate to the fee sheet. Replace one of the 'prod[N][sale_id]' values with Patient B's 'sale_id'. After submitting the form, verify that Patient B's record has been deleted or modified.

Remediation

Users can update to OpenEMR version 8.0.0.3, which includes a patch for this vulnerability.