OpenEMR ACL Module Incorrect Authorization Vulnerability Allowing Access Bypass

A vulnerability exists in OpenEMR versions prior to 8.0.0.2, within the ACL module's `zhAclCheck()` function. This function only verifies the presence of 'allow' permissions for users or groups, without considering explicit 'deny' permissions. Consequently, administrators are unable to revoke access effectively, as a user in a group with 'allow' will be granted access, regardless of any explicit denies. The issue has been addressed in version 8.0.0.2.

Impact

The vulnerability leads to incorrect authorization by ignoring explicit denies, allowing users to access features or modules they should be denied. This can result in privilege escalation, as access controls believed to be enforced can be bypassed, and may violate compliance policies that require strict adherence to deny-over-allow principles.

Reproduction

To reproduce this vulnerability, assign a user an explicit deny for a specific section while also placing them in a group that has allow for the same section. When the `zhAclCheck()` function is called for that user and section, the function will incorrectly return true, granting access despite the explicit deny.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been fixed.