Synopsis
Tenable Research has discovered a number of security-related issues in the OpenMRS Reference Application. We have confirmed these issues exist in version 2.9.0.
The details of these issues are as follows:
---
XSS via Referrer Headers and Arbitrary Parameters
---
The application copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting.
The following is an example curl command to illustrate the issue:
curl -i -s -k -X $'GET' -H $'Host: 10.0.0.54:8082' -H $'Referer: http://10.0.0.54:8082/openmrs-
CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P) - 6.8
---
XSS in UIFramework Error Page
---
The UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue.
The following is an example of this issue: http://<host>/<openmrs path>/coreapps%3Cimg%20src=a%
The above payload decodes to: <img src=a onerror=alert(1)>
This payload can be used in almost any path for the OpenMRS application as far as I can tell.
CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P) - 6.8
---
XSS in Login Page's sessionLocation parameter
---
The sessionLocation paramter for the login page is vulnerable to cross-site scripting. Using the following payload for the paramter illustrates the issue: <script>alert(1);</script>
CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P) - 6.8
---
XSS in ActiveVisit page's app parameter
---
The app parameter for the ActiveVisit's page is vulnerable to cross-site scripting.
For example: http://<host>/<openmrs path>/coreapps/activeVisits.
This attack requires authentication.
CVSSv2: (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
---
Authentication Bypass for Data Import
---
The import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. For example, by visiting "http://<host>/<openmrs path>/module/dataexchange/
CVSSv2: (AV:N/AC:L/Au:N/C:N/I:P/A:P) - 6.4
---
Authentication Bypass for Data Export
---
The export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. For example, by visiting "http://<host>/<openmrs path>/module/dataexchange/
CVSSv2: (AV:N/AC:L/Au:N/C:P/I:N/A:N) - 5.0
Solution
Upgrade to the latest supported version of OpenMRS.Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team