OpenEMR Insecure Direct Object Reference Vulnerability in Patient Portal Payment Page

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in OpenEMR versions prior to 8.0.0.3. This vulnerability exists in the patient portal payment page, where authenticated portal patients can access other patients' payment records. The issue arises from the `recid` query parameter in `portal/portal_payment.php`, which can be manipulated to retrieve sensitive information such as invoice and billing data, including payment card details. The vulnerability is exploitable by altering the `recid` parameter to reference records belonging to other patients.

Impact

Exploitation of this vulnerability allows authenticated portal patients to bypass authorization and access payment records of other patients. This includes sensitive invoice and billing information, as well as payment card metadata, such as cardholder name, masked card number, expiration date, and for InHouse-gateway records, the CVV.

Reproduction

To reproduce this vulnerability, log into the patient portal as an authenticated user. Navigate to the payment page without a `recid` parameter to load your own payment data. Then, modify the URL to include a `recid` parameter that corresponds to an invoice record of another patient. The response will include the payment information of the patient associated with the `recid`, demonstrating unauthorized access to cross-patient payment records.

Remediation

Users can update to OpenEMR version 8.0.0.3, which addresses this vulnerability by implementing proper authorization checks on the `recid` parameter in the portal payment page.