- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Multiple Vulnerabilities Found In Healthcare Software OpenEMR
Researchers have found three separate vulnerabilities in OpenEMR, an open-source software for electronic health records and medical practice management.
Clean code experts at Sonar published an advisory Wednesday about the discovered flaws by security researcher Dennis Brinkrolf.
“During our security research of popular web applications, we discovered several code vulnerabilities in OpenEMR,” Brinkrolf wrote.
“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure.”
The security expert explained that the company’s static application security testing (SAST) engine discovered that two of these three vulnerabilities combined could lead to unauthenticated remote code execution (RCE).
“In summary, an attacker can use the reflected XSS, upload a PHP file […] and then use the path traversal via the Local File Inclusion to execute the PHP file. It takes a few tries to figure out the appropriate Unix timestamp but eventually leads to remote code execution.”
As for the third vulnerability, it allowed attackers to configure OpenEMR in a certain way in order to eventually steal user data.
“In other words, if OpenEMR is set up correctly, an unauthenticated attacker can read files like certificates, passwords, tokens, and backups from an OpenEMR instance via a rogue MySQL server,” Brinkrolf explained.
The security researcher added that Sonar reported all issues to the OpenEMR maintainers on October 24, 2022, who then released a patch to version 7.0.0, fixing all three vulnerabilities seven days later.
“If you are using OpenEMR, we strongly recommend updating to the fixed versions mentioned above,” the Sonar post concluded. “We want to thank the OpenEMR team for their professional and fast responses and patches.”
The patched vulnerabilities come almost five years after researchers at Project Insecurity found over 20 flaws (now fixed) in OpenEMR.