Security experts claimed that the OpenClinic application is currently suffering from major flaws. Bishop Fox Labs' researchers found four issues in the open-source health records management software.
One of these could allow an attacker to breach patient protected health information. Bishop Fox Labs tried to contact OpenClinic's development team on several occasions after discovering the flaws.
After confirming that the vulnerabilities are serious, the security researchers immediately disclosed the vulnerabilities to the public on Dec. 1. According to Health IT Security's latest report, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency also announced 12 flaws in the medical platform. These include six rated with high severity and three ranked as critical issues.
OpenClinic's most severe flaw
The Daily Swig reported that Gerben Kleijn, a senior security consultant at Bishop Fox, advised the users to look for alternative healthcare software packages. Kleijn is also the one who discovered the most dangerous flaw in the platform.
This one is a high severity missing authentication check on requests issued to the medical test endpoint. Because of its severity, it can allow hackers to successfully request files containing sensitive documents and user data from the medical test directory.
This flaw could lead to a potential mechanism that could access patients' test results in the process.
OpenClinic's file upload flaw
Another flaw was also found in the medical platform. This one is an insecure file upload vulnerability. This issue could allow authenticated attackers to achieve remote code execution (RCE) on the application server. Once they created the RCE, they can now access sensitive information, install malicious malware, and escalate privileges.
As of the moment, OpenClinic hasn't released any update yet if they are patching the newly discovered flaws. Different hackers can take advantage of the flaw by uploading malicious files to the "/openclinic/medical/test_new.php" endpoint. This one does not restrict the types of file that can be installed. The researchers also tried also tried this flaw and successfully sent a file containing a simple PHP web shell.
For more news updates about security vulnerabilities in other platforms or apps, always keep your tabs open here at TechTimes.
This article is owned by TechTimes.
Written by: Giuliano de Leon.