OpenEMR XInclude Injection Vulnerability in CCDA Import Allows Arbitrary File Read

A vulnerability exists in OpenEMR versions prior to 8.0.0.3, specifically within the CCDA import feature of the Carecoordination module. Authenticated users can upload a specially crafted CCDA document that exploits the LIBXML_XINCLUDE flag, allowing the inclusion of arbitrary files from the server, such as the passwd file. This issue arises because the XInclude processing is not properly sanitized before being parsed, enabling unauthorized file access.

Impact

Exploitation of this vulnerability allows authenticated users to read any file accessible to the web server process, potentially leading to the exposure of sensitive information such as database credentials or application source code.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a user with access to the Carecoordination module. Upload a CCDA document containing an XInclude element referencing a file, such as '/etc/passwd', through the CCDA import interface. After importing, the included file's contents can be retrieved from the audit_details table.

Remediation

Users can upgrade to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.