OpenEMR Authorization Bypass Vulnerability in FaxSMS Module AppDispatch Constructor

An authorization bypass vulnerability has been identified in the optional FaxSMS module of OpenEMR, prior to version 8.0.0.2. This vulnerability allows any authenticated user to invoke controller methods, such as 'getNotificationLog()', which retrieves patient appointment data (PHI), without the necessary ACL permissions. The issue arises because the 'AppDispatch' constructor dispatches user-controlled actions and exits the process before any ACL checks can be applied. As a result, unauthorized users can access sensitive patient information and manipulate module API credentials.

Impact

Exploitation of this vulnerability leads to unauthorized access to patient appointment notification data (PHI) and the ability to overwrite module API credentials. This is particularly concerning in healthcare environments where shared credentials are common and insider threats exist.

Reproduction

To reproduce this vulnerability, install and enable the FaxSMS module with a supported service backend, such as Twilio SMS. Log in as an OpenEMR user without the 'patients:demo' ACL permission. Attempt to access 'messageUI.php' through the UI, which will block access due to missing authorization. However, a direct GET request can be sent using the session cookie to 'messageUI.php' or 'index.php' with the '_ACTION_COMMAND' parameter set to 'getNotificationLog'. This request will bypass the ACL check and return the notification log data, including patient IDs, appointment dates, names, and message content.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been patched.