Users who use Open Clinic health care records should beware. There is a vulnerability which allows hackers to access healthcare records and other confidential data which is extremely dangerous. This was discovered by security researchers at Bishop Fox and they are four zero-day vulnerabilities that are quite devastating for the system. Open Clinic is an open source health care record management system written in PHP and it is available in many languages.
The biggest flaw and vulnerability discovered when testing the program is a missing authentication check discovered by Klejin. This lets attackers request files that contain sensitive documents from the medical directory allowing them to access patients test results in the process. The bug is exploitable but the only thing that keeps it from being critical is the fact that the user or attacker must know the patient’s name before they can initiate such a procedure. But still, it is quite dangerous and exposes a lot of flaws in the system itself.
Medical Test files can be obtained from anywhere and can even be guessed so the exploit must be fixed as soon as possible to ensure patient health records are safe and secure. Another error currently found in the systems is the fact that users can upload code or achieve remote code execution on the server which can allow them to access information install malware or use the server to access other nodes on the network. Users with admin privileges can upload a new file directly to the endpoint and thus destroy the internal security systems present within OpenClinic leaving it vulnerable to even more attacks in the future. Moreover, another bug found was the fact that unauthorized payloads can be sent to the server with no error message or rejection done by it.
All these bugs combined create a system that is heavily exploitable and is not defended at all. The amount and severity of these exploits can lead to hackers easily accessing sensitive patient information and doing malicious acts with it which is extremely dangerous.