bradymiller wrote on Tuesday, December 06, 2011:
Hi,
Got an email from security team regarding this sql-injection exploit (they will likely post this exploit pretty soon), which I consider high priority, because it can be exploited without even logging into OpenEMR. I also removed the fetching of the password because it is not even used, so no reason to collect it. Please feel free to review it:
https://github.com/bradymiller/openemr/commits/security-fix
thanks,
-Brady
sunsetsystems wrote on Tuesday, December 06, 2011:
Thanks Brady. I’d be interested to know how much time they or anyone else has spent looking for vulnerabilities. If not much, then I would expect that quite a few more of these exist.
bradymiller wrote on Tuesday, December 06, 2011:
Hi Rod,
Here’s a wiki page tracking the published exploits:
http://open-emr.org/wiki/index.php/Security_Alert_Fixes
And here’s a comprehensive security review done several years back showing numerous issues in the codebase:
http://open-emr.org/wiki/index.php/Codebase_Security#Assessment
The concerning thing about the exploit above is that it is in a script that does not require authorization. Probably the first priority on the security walk through should be in scripts that have the following flag in them:
$ignoreAuth=true;
-brady
bradymiller wrote on Saturday, December 10, 2011:
Hi,
Committed this fix to sourceforge couple days ago. Plan to include it in the next 4.1 patch.
-brady