OpenEMR Arbitrary File Read Vulnerability in PDF Generation

A vulnerability allowing arbitrary file read has been identified in OpenEMR versions prior to 8.0.0.2. This issue arises in the PDF creation function of the Eye Exam form, where user responses are processed as unescaped HTML. As a result, an attacker can inject image files from the server into the generated PDF. Additionally, there is a high likelihood that this vulnerability could be exploited to read other types of files by manipulating PHP filter chains.

Impact

Exploitation of this vulnerability allows authenticated users with the 'Notes - my encounters' role to read arbitrary images from the server's filesystem, potentially including sensitive patient data. Furthermore, there is a high likelihood that other file types could be accessed by abusing PHP filter chains.

Reproduction

To reproduce this vulnerability, log into OpenEMR with a user assigned the 'Notes - my encounters' role, such as a member of the 'Clinicians' group. Navigate to the Eye Exam form within a patient encounter and insert a payload in the HPI field that includes an image tag referencing a file on the server. After saving the form, generate a PDF report which will include the injected image, demonstrating the arbitrary file read vulnerability.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been fixed.