I have noticed that with upgrade from 4.1.2 to 4.2.0, in a multi-site configuration (same code base, separate database), an administrative user at any one of the sites is able to have full access/privileges to all the separate site databases through phpmyadmin from within openemr.
(running on debian 7 server, mariaDB 10.0, apache 2.2)
This was not possible on the previous version. This is a significant security issue.
I am working on a solution, but the community is mightier.
The (Super-)Administrator can configure OpenEMR permissions.For starters look in Global. Disallow phpAdmin for some USERS in features. If this is not enough try ACL module to fine tweak.
This does not address the issue I raised. It only prevents regular users at that one site from accessing the databases. The issue is that ANY user who is enabled to have phpmyadmin access at ONE site, will, in 4.2.0, obtain access to ALL databases across a multi-site setup.
Agree this is a definitely a security concern. I have noted with the more recent version of phpmyadmin that was brought into OpenEMR (about 6 or so months ago) that it is not defaulted to a “defined” database as it used to, despite being configured to: https://github.com/openemr/openemr/blob/master/phpmyadmin/config.inc.php#L32
Even if the “fix” hides the other databases, depending on how the database users are configured with OpenEMR, it still might be possible for the various sites to access the other databases.
A good test would be to run
SHOW DATABASES when logged in through the different sites.
Then try queries like select * from databasename.users and make sure that that’s not possible.
There has always been concern that PHPMyAdmin is a large security risk, even when running in “single-site” mode. Multi-site clearly adds many more concerns.
I applied the changes to the file /var/www/openemr/phpmyadmin/libraries/navigation/Nodes/Node.class.php
but it made no difference to my ability to see the other sites databases. I am attaching the amended Node.class.php file - I think I implemented your suggestions correctly.
Plan to place this in my testing queue (testing multisite takes a bit more resources to test in my development environment). One other question is whether you are using the same OpenEMR database user credentials on the different databases?
That is likely the issue, since that same set of mysql user credentials will have permission to view and modify each database. I am guessing that if they each have a separate mysql user, then would not be a problem(I am just guessing since I have not been able to test this yet).
When you log in to phpMyAdmin as some user, you have access to all databases that the user has permissions for. So you really want a separate MySQL user for each database.
Does that mean that there must be different root & user credentials for each site?
Because phpMyAdmin can be accessed externally & with the ability of resetting the root password outside of OpenEMR, how does a user safeguard the database?
That means changing the root password, without even being in OpenEMR or phpMyAdmin, is a very simple way to hack all sites within one practice in one fell swoop.
If that is true, it’s a big, fat vulnerability. Grant it that the hacker needs to have access to the main server or a server in one of the sites, but it does not sound like a huge technical undertaking in the practised hands of cyber criminals.
Our production copy is used offline & the only Administrator is me, myself & I; so, not much of a choice in the matter.
Paul is obviously concerned about the possibility of an “inside job” to have started this thread. He is protected to a certain degree from an “outside job” with the use of Linux, but how invincible is this protec- tion?
There are more Windows users out there than Linux users. Windows users with multiple sites are not so well protected. If the hackers can gain access to the Owner account, by definition; they will gain all Administrator privileges.
