Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

Fresh light has been shed on a batch of security vulnerabilities discovered in the widely used OpenEMR medical records storage system.

A team of researchers at Project Insecurity discovered and reported the flaws, which were patched last month by the OpenEMR developers in version 5.0.1.4. With the fixes now having been out for several weeks, the infosec crew on Tuesday publicly emitted full details of the critical security bugs, with a disclosure [PDF] so long it has its own table of contents.

Any medical provider that has yet to update to the latest version of the open-source OpenEMR software is well advised to do so now, before some miscreant exploits the holes to nab sensitive records.

Among the list of bugs found by Project Insecurity are four remote code execution flaws; nine SQL injection vulnerabilities; arbitrary read, write and deletion bugs; three information disclosure flaws; a cross-site request forgery allowing for remote code execution; deep breath; an unrestricted file upload hole; a patient portal authentication bypass flaw; and administrative actions that can be performed simply by guessing a URL path.

Delicious source

Perhaps what is most impressive is that Project Insecurity gang – Brian Hyde, Cody Zacharias, Corben Leo, Daley Bee, Dominik Penner, Manny Mand, and Matthew Telfer – said all of the bugs were discovered by a team of seven researchers poring over source code without the use of any automated testing tools.

"We set up our OpenEMR testing lab on a Debian LAMP server with the latest source code downloaded from GitHub," the Insecurity team explained.

"The vulnerabilities disclosed in this report were found by manually reviewing the source code and modifying requests with Burp Suite Community Edition, no automated scanners or source code analysis tools were used."

In disclosing the flaws, Insecurity's researchers make a number of recommendations to the OpenEMR community to avoid the introduction of further vulnerabilities, including the use of parameterized database queries in PHP scripts (to prevent SQL injection) and limiting uploads only to non-executable image files (to patch the arbitrary file upload-and-run hole).

Other bugs, such as the remote code execution and cross-site request forgery flaws, will require developers getting up to speed and implementing best practices for writing secure code.

"Obviously, if a malicious user were to convince an administrator to click a certain link, that malicious user could successfully pop a shell on their target," the researchers noted. "Nearly all of OpenEMR’s administrative actions are vulnerable to CSRF one way or another."

OpenEMR bills itself as "the most popular open source electronic health records and medical practice management solution." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like