CVE-2018-15150 in OpenEMR
Summary
by MITRE
SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/02/2023
The vulnerability described in CVE-2018-15150 represents a critical sql injection flaw within the OpenEMR healthcare information system that affects versions prior to 5.0.1.4. This vulnerability exists in the de_identification_screen2.php file within the interface/de_identification_forms directory, creating a pathway for malicious actors to manipulate the underlying database through carefully crafted inputs. The attack vector specifically targets the temporary_files_dir variable located in interface/super/edit_globals.php, which serves as an entry point for unauthorized database access.
This sql injection vulnerability operates through the improper sanitization of user-supplied input parameters, allowing an authenticated attacker with access to the system to manipulate the sql query execution flow. The flaw enables attackers to inject malicious sql commands that bypass normal authentication mechanisms and directly interact with the database backend. The vulnerability is particularly concerning because it requires only authenticated access, meaning that an attacker who has already gained legitimate credentials can exploit this weakness to escalate their privileges or extract sensitive data from the healthcare database.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to modify or delete critical patient information, potentially compromising patient care and violating healthcare regulations such as hipaa. The vulnerability allows for arbitrary sql command execution, which means attackers can perform any database operation including data extraction, modification, or deletion. This capability creates a significant risk for healthcare organizations that rely on OpenEMR for patient management, as the compromise of patient records could lead to identity theft, medical fraud, or disruption of healthcare services.
The technical nature of this vulnerability aligns with CWE-89, which specifically addresses sql injection flaws in software applications. From an attack framework perspective, this vulnerability maps to multiple ATT&CK techniques including T1071.004 for application layer protocol manipulation and T1566 for credential access through exploitation of software vulnerabilities. The attack requires minimal privileges since it targets an authenticated interface, making it particularly dangerous in environments where legitimate users have administrative access. Organizations should immediately implement security patches to address this vulnerability, as the risk of exploitation increases with the availability of public exploit frameworks targeting similar sql injection flaws in healthcare systems.
Mitigation strategies should include immediate deployment of the patched version 5.0.1.4 or later, implementation of proper input validation and parameterized queries throughout the application codebase, and enhanced monitoring of database access patterns for suspicious activity. Security teams should also conduct thorough code reviews to identify similar sql injection vulnerabilities in other parts of the OpenEMR system and implement web application firewalls to detect and block malicious sql injection attempts. Regular vulnerability assessments and penetration testing should be performed to ensure that similar flaws do not exist in other components of the healthcare information system infrastructure.