OpenEMR Command Injection Vulnerability in Backup Functionality Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in OpenEMR versions prior to 8.0.0.2. This vulnerability arises from inadequate input validation in the backup feature, where user-supplied data is concatenated into shell commands without proper sanitization. Authenticated attackers can exploit this flaw by injecting malicious commands that are executed on the server.

Impact

Exploitation of this vulnerability allows for server-side code execution, with the injected commands executed in the context of the web server user.

Reproduction

To reproduce this vulnerability, an authenticated user can insert a payload into the 'grp_form_id' column of the 'layout_group_properties' table. After inserting the payload, the user can call the backup functionality, which will execute the injected command. This can be done by using the 'form_cb_addlists' and 'form_sel_layouts' POST parameters to trigger the backup process while including the malicious payload.

Remediation

Users are advised to update OpenEMR to version 8.0.0.2 or later, where this vulnerability has been fixed.