OpenEMR SQL Injection Vulnerability in Patient Selection Feature

A SQL injection vulnerability has been identified in OpenEMR versions through 8.0.0.2, specifically within the patient selection feature. This vulnerability allows authenticated attackers to exploit insufficient input validation, leading to the injection of malicious SQL code. The issue arises when database entries are directly concatenated into SQL queries without proper sanitization, creating an opportunity for attackers to manipulate the queries and potentially access or modify sensitive data.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, which could lead to unauthorized access to database information, potential breaches of sensitive medical information, and in some cases, server-side code execution or database compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can insert a payload into the 'layout_options' table using the 'edit_layout.php' interface. Once the payload is injected, the 'patient_select.php' script can be used to trigger the SQL injection by exploiting the injected payload through the 'getByPatientDemographics' function, which concatenates the payload into a SQL query without proper escaping.

Remediation

Users can upgrade to OpenEMR version 8.0.0.3, which includes a patch for this vulnerability.