OpenEMR PostCalendar Module Blind SQL Injection Vulnerability in Categories Update Function

A blind SQL injection vulnerability has been identified in the PostCalendar module of OpenEMR, prior to version 8.0.0.3. The issue resides in the 'categoriesUpdate' administrative function, where the 'dels' POST parameter is processed by 'pnVarCleanFromInput()'. This function only removes HTML tags without escaping SQL special characters. Consequently, the unvalidated 'dels' parameter is directly inserted into a raw SQL DELETE statement, which is then executed unsanitized using Doctrine DBAL's 'executeStatement()'.

Impact

Exploitation of this vulnerability allows authenticated administrators to perform time-based blind SQL injection, extracting sensitive database information. Additionally, it could be used to delete arbitrary rows from various tables by manipulating the SQL query with UNION or subquery techniques. Depending on the database driver configuration, there might also be potential for stacked query execution.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to 'interface/main/calendar/index.php' with the 'dels' parameter. The 'dels' parameter should include a crafted SQL payload that exploits the lack of SQL injection prevention, such as a command that introduces a delay, confirming the injection's success. Once the injection is confirmed, the vulnerability can be exploited by extracting data from the database using SQL injection techniques.

Remediation

Users can update to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.