Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.

In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

phpGACL template multiple cross-site scripting vulnerabilities (TALOS-2020-1177/CVE-2020-13562 - CVE-2020-13564)

Multiple cross-site scripting vulnerabilities exist in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

phpGACL return_page redirection open redirect vulnerability (TALOS-2020-1178/CVE-2020-13565)

An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7. A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

phpGACL database multiple SQL injection vulnerabilities (TALOS-2020-1179/CVE-2020-13566 - CVE-2020-13568)

Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

OpenEMR GACL cross-site request forgery vulnerability (TALOS-2020-1180/CVE-2020-13569)

A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed TALOS-2020-1177 - TALOS-2020-1179 affect OpenEMR, version 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce), as well as phpGACL, version 3.3.7. TALOS-2020-1180 also affects the two versions of OpenEMR, but not phpGACL.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 56143 - 56149, 56152, 56153