OpenEMR Authorization Bypass Vulnerability in Dated Reminders Log Allowing PHI Exposure

An authorization bypass vulnerability has been identified in OpenEMR versions prior to 8.0.0.2. This vulnerability allows authenticated non-admin users to access reminder messages from other users through the dated reminders log. The issue arises by manipulating GET request parameters with arbitrary user IDs, which bypasses existing authorization checks. The exposed information includes patient names and free-text message content, leading to a violation of Protected Health Information (PHI) privacy.

Impact

Exploitation of this vulnerability allows any authenticated non-admin user to read dated reminders belonging to other users, including sensitive patient information and message content. This read-only access can be abused to systematically collect reminders across all users by sequentially targeting user IDs.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a non-admin user. Navigate to the dated reminders section and open the 'View Log' option, which loads 'dated_reminders_log.php'. Note the CSRF token from the page source. Then, send a GET request to 'dated_reminders_log.php' including the CSRF token and a user ID in the 'sentTo[]' parameter. The response will contain all reminders sent to that user, including patient names and message bodies. Alternatively, using the 'sentBy[]' parameter with a sender's ID retrieves all reminders from that sender, exposing reminders across all their recipients in one request.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been patched.