Fresh light has been shed on a batch of security vulnerabilities discovered in the widely used OpenEMR medical records storage system.
A team of researchers at Project Insecurity discovered and reported the flaws, which were patched last month by the OpenEMR developers in version 18.104.22.168. With the fixes now having been out for several weeks, the infosec crew on Tuesday publicly emitted full details of the critical security bugs, with a disclosure [PDF] so long it has its own table of contents.
Any medical provider that has yet to update to the latest version of the open-source OpenEMR software is well advised to do so now, before some miscreant exploits the holes to nab sensitive records.
Among the list of bugs found by Project Insecurity are four remote code execution flaws; nine SQL injection vulnerabilities; arbitrary read, write and deletion bugs; three information disclosure flaws; a cross-site request forgery allowing for remote code execution; deep breath; an unrestricted file upload hole; a patient portal authentication bypass flaw; and administrative actions that can be performed simply by guessing a URL path.
Perhaps what is most impressive is that Project Insecurity gang – Brian Hyde, Cody Zacharias, Corben Leo, Daley Bee, Dominik Penner, Manny Mand, and Matthew Telfer – said all of the bugs were discovered by a team of seven researchers poring over source code without the use of any automated testing tools.
"We set up our OpenEMR testing lab on a Debian LAMP server with the latest source code downloaded from GitHub," the Insecurity team explained.
"The vulnerabilities disclosed in this report were found by manually reviewing the source code and modifying requests with Burp Suite Community Edition, no automated scanners or source code analysis tools were used."
In disclosing the flaws, Insecurity's researchers make a number of recommendations to the OpenEMR community to avoid the introduction of further vulnerabilities, including the use of parameterized database queries in PHP scripts (to prevent SQL injection) and limiting uploads only to non-executable image files (to patch the arbitrary file upload-and-run hole).
Other bugs, such as the remote code execution and cross-site request forgery flaws, will require developers getting up to speed and implementing best practices for writing secure code.
"Obviously, if a malicious user were to convince an administrator to click a certain link, that malicious user could successfully pop a shell on their target," the researchers noted. "Nearly all of OpenEMR’s administrative actions are vulnerable to CSRF one way or another."
OpenEMR bills itself as "the most popular open source electronic health records and medical practice management solution." ®