Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access

Four vulnerabilities have been identified in the OpenClinic application, the most severe of which could allow authentication to be bypassed and protected health information (PHI) to be viewed from the application by unauthorized users.

OpenClinic is an open source, PHP-based health record management software that is used in many private clinics, hospitals, and physician practices for administration, clinical and financial tasks.

A BishopFox Labs researcher has identified four vulnerabilities in the software which have yet to be corrected. The most serious vulnerability involves missing authentication, which could be exploited to gain access to any patient’s medical test results. Authenticated users of the platform can upload patient’s test results to the application, which are loaded into the /tests/ directory. Requests for files in that directory do not require users to be authenticated to the application to return and display the test results.

In order for the test results to be obtained, an unauthenticated user would need to guess the names of the files; however, the BishopFox researcher explained that medical test filenames can be predictable and could be obtained through log files on the server or other network infrastructure. The vulnerability (CVE-2020-28937) can be exploited remotely and has received a high severity rating.

A high severity insecure file upload vulnerability (CVE-2020-28939) was identified which would allow users with administrative or administrator user roles to upload malicious files. The researcher found those users who have rights to enter medical tests for patients could upload files using the /openclinic/medical/test_new.php endpoint, which does not restrict the types of files that can be uploaded to the application. Consequently, it would be possible to upload web shells, which could be used for arbitrary code execution on the application server. A malicious actor with an administrative or administrator user role could obtain sensitive information, escalate privileges, install malicious software, or gain access to the internal network.

The third vulnerability (CVE-2020-28938) is a medium-severity stored cross-site scripting vulnerability that allows application users to force actions on behalf of other users. Measures have been included in the application to prevent cross-site scripting; however, those controls can be bypassed. A low-privileged user could exploit the vulnerability by getting an Administrator to click a malicious link, which could be used to execute a payload that creates a new Administrator account for the low privileged user.

The fourth vulnerability is a low-severity path traversal flaw that could be exploited in a denial of service attack affecting upload functionality. The flaw allows an authenticated attacker to write files to the application server’s filesystem.

Gerben Kleijn, Senior Security Consultant, Bishop Fox, was credited with discovering the flaws. “At the time of this publication there is no version of OpenClinic available that does not suffer from the identified vulnerabilities, and the recommendation is to switch to a different medical records management software,” said Kleijn in a blog post announcing the vulnerabilities.

These are not the first serious vulnerabilities to be identified in OpenClinic this year. In July, an alert was issued by CISA about 12 vulnerabilities in the software, 3 of which were rated critical and 2 high severity.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.