During an internship in our company, our students found several vulnerabilities in LibreHealth: Broken Access Control (CVE-2022-31496), Cross-Site Scripting (CVE-2022-31492, CVE-2022-31493, CVE-2022-31494, CVE-2022-31495, CVE-2022-31497, CVE-2022-31498).
We think these CVE’s are good achievement in their CV. They even not finished their bachelor degree, but already contributed to the safety of internet. The names of our heroes: Alibek Akhmetov, Bakdaulet Zhaksylyk, Daniyar Absadykov, Amir Askarov, Gaukhar Uzakbay.
1. Broken Access Control (CVE-2022-31496)
Any user or admin can access to the functionality for super admin page and change some files, that leads to remote code execution.
There is no patch for this vulnerabilities because of migration to more stable framework. Never trust data from the client. Add htmlspecialchars() before printing values. To fix broken access control, super admin checking condition should be added. Or if there is no need to this functionality, file can be just deleted.
Timeline of the vulnerabilities:
05/13/2022 – initial discover
05/22/2022 – requesting CVE id’s from MITRE
05/24/2022 – MITRE was assigned CVE id’s
05/26/2022 – notification to vendor
06/02/2022 – vendor confirmed and allowed to publish write-up
06/02/2022 – published