XSS, SQLi in OpenEMR 4.1.1

A few tests ago, I came across an OpenEMR install with a weak password for a 'Guest' level account. Using the guest access, mixed with some application issues I found along the way, I was able to eventually compromise the server running OpenEMR. It also served as a good launching point to further attack the Internal network. Lets dig in...

First, I found SQL Injection in the following location:

Reports > Visits > SuperBill > Dates

By browsing to this page and dumping in junk in either the start or end date parameters, we see the following SQL error message:

ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC
Turning SQLMap loose, I managed to dump most of the database contents (depending on your DB user, of course). This led to some juicy patient data, as well as a load of usernames and password hashes for the OpenEMR application. I let my GPU box chew on the password hashes for a bit, and kept poking at the application.

The next issue I found was HTML injection / XSS on an 'Office Notes' page. By visiting Misc > Office Notes and entering a UNC path into the notes section, I was able to entice any users visiting that page to attempt authentication with my system, which was hosting a fake SMB server with static challenges:

Screen Shot

This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH.

The OpenEMR development team has been notified of these issues, and they have been fixed in the latest 4.1.1 patch listed here:


Advisory here:

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.