OpenEMR SQL Injection Vulnerability in Ajax Graphs Library

A SQL injection vulnerability has been identified in OpenEMR versions prior to 8.0.0.1. This vulnerability resides in the ajax graphs library, where user input is inadequately validated, allowing authenticated attackers to inject malicious SQL code. The issue arises because the application directly concatenates user-supplied data into SQL queries without proper sanitization, potentially leading to unauthorized database access and extraction of sensitive information.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary SQL commands, appended to the original SQL query of the vulnerable endpoint. This could lead to unauthorized access and extraction of database information, including sensitive medical data. In some cases, this vulnerability could be leveraged to execute server-side code.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to 'library/ajax/graphs.php' with a crafted 'name' parameter that includes SQL injection payloads. The injection can be verified by observing the application's response, which will indicate a SQL syntax error if the injection is successful. Once confirmed, the injection can be exploited to extract database information, such as user credentials, by manipulating the 'name' parameter to retrieve specific data from the database.

Remediation

Users are advised to update OpenEMR to version 8.0.0.1 or later, where this vulnerability has been fixed.