Quote:Four vulnerabilities have been discovered in the OpenClinic application for sharing electronic medical records. The most concerning of them would allow a remote, unauthenticated attacker to read patients’ personal health information (PHI) from the application.
 
OpenClinic is an open-source health records management software; its latest version is 0.8.2, released in 2016, so the flaws remain unpatched, researchers at Bishop Fox said. The project did not immediately return Threatpost’s request for comment.
 
According to researchers, the four bugs involve missing authentication; insecure file upload; cross-site scripting (XSS); and path-traversal. The most high-severity bug (CVE-2020-28937) stems from a missing authentication check on requests for medical test information.
 
Authenticated healthcare users of the application can upload medical test documents for patients, which are then stored in the ‘/tests/’ directory. Unfortunately, there’s no requirement for patients to sign in in order to view the test results.
 
“Anyone with the full path to a valid medical test file could access this information, which could lead to loss of PHI for any medical records stored in the application,” according to the firm, writing in a Tuesday posting.
A mitigating factor is the fact that an attacker would need to know or guess the names of files stored in the “/tests/” directory in order to exploit the vulnerability.
“However, medical test filenames can be predictable, and valid filenames could also be obtained through log files on the server or other networking infrastructure,” researchers wrote.