OpenEMR Missing Authorization Vulnerability in Patient Portal Signature Retrieval

A missing authorization check in OpenEMR versions prior to 8.0.0.3 allows authenticated patient portal users to access the signature images of staff members. This is achieved by sending an arbitrary user value in the POST request to 'portal/sign/lib/show-signature.php'. While the corresponding write endpoint 'save-signature.php' has been secured, the read endpoint remains vulnerable. The issue arises because the '$user' variable is not properly validated or restricted, enabling unauthorized access to staff signatures.

Impact

Exploitation of this vulnerability allows any authenticated patient portal user to read the drawn signature images and full names of staff members, bypassing authorization controls. This access to staff data from the portal session context represents a significant privacy breach.

Reproduction

To reproduce this vulnerability, log into the patient portal and capture the session cookie. Then, send a POST request to 'portal/sign/lib/show-signature.php' with the JSON body including the 'user' ID of a staff member and 'type' set to 'admin-signature'. If successful, the response will contain the base64-encoded signature image, which can be extracted and decoded.

Remediation

Users can update to OpenEMR version 8.0.0.3, which addresses this vulnerability by implementing the necessary authorization checks in the 'show-signature.php' endpoint.