OpenEMR Out-of-Band Server-Side Request Forgery Vulnerability in Eye Exam PDF Generation

A server-side request forgery (SSRF) vulnerability has been identified in OpenEMR versions prior to 8.0.0.2. This vulnerability allows users with the 'Notes - my encounters' role to exploit the PDF creation function of the Eye Exam form. The issue arises because form responses are processed as unescaped HTML, enabling attackers to send forged requests from the server to external or internal resources. The vulnerability has been patched in version 8.0.0.2.

Impact

Exploitation of this vulnerability allows authenticated users with the 'Notes - my encounters' role to send requests from the OpenEMR server to external or internal resources, potentially leading to unauthorized access or manipulation of data. This could include probing internal services, downloading arbitrary files or images to the system and patient records, and generating excessive traffic to unintended resources, causing the server to be placed on spam or blocklists.

Reproduction

To reproduce this vulnerability, log into OpenEMR with a user that has the 'Notes - my encounters' role. Create or select a patient and visit, then navigate to the Eye Exam form. Insert a payload into the HPI field that includes an image tag pointing to a webhook URL where request logs can be viewed. After saving the report as a PDF, the injected image tag will be processed and the corresponding HTTP request will be logged, demonstrating the successful exploitation of the SSRF vulnerability.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been fixed.