Hospital Management System (HMS) is a popular software solution used by healthcare organizations across the globe. It provides various tools and features to streamline day-to-day operations, enabling hospitals to improve their overall efficiency. Recently, a Cross Site Scripting (XSS) vulnerability has been discovered in the v4. release of HMS. By exploiting this vulnerability, attackers can inject malicious scripts into the web application, compromise user sessions, and even gain access to sensitive information.

In this blog post, we'll dissect CVE-2021-35388, the CVE identifier for this vulnerability, discuss the exploit details, and provide code snippets and links to original references. We'll also use straightforward and easy-to-understand language to ensure that our readers, regardless of their expertise, can grasp the severity of the problem and take the necessary remediation steps.

Exploit Details

The Cross Site Scripting vulnerability in question resides in the /hospital/hms/admin/patient-search.php file. It allows attackers to inject malicious scripts through the "search" parameter without proper sanitization. As a result, the vulnerability can be exploited by sending a specially crafted request with an XSS payload.

Here's a code snippet containing the vulnerable code section

<!DOCTYPE html>
<html>
<head>
<!-- ... -->
<script type="text/javascript">
  function do_patient_search() {
    var search = $('#search').val();
    // ...
    $.ajax({
      type: "POST",
      url: "patient-search.php",
      data: {
        search: search
      },
      // ...
    });
  }
</script>
</head>
<body>
  <div>
    <input type="text" id="search">
    <button onclick="do_patient_search()">Search</button>
  </div>
  <!-- ... -->
</body>
</html>

In this snippet, the search value entered by the user is passed directly to the AJAX request without proper input validation or encoding. This opens up the possibility for XSS attacks.

For example, an attacker could send a GET request with a malicious payload as shown below

GET /hospital/hms/admin/patient-search.php?search=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

Upon receiving this request, the vulnerable application will render the injected script, executing it in the context of the user's session. This may allow the attacker to hijack the user's session, steal sensitive information, or run further exploits.

Original References

The vulnerability was first reported by researcher Nguyen Jang. Nguyen has published a detailed write-up and proof-of-concept exploit on their GitHub Gist, which can be found in the following link:

- CVE-2021-35388: Hospital Management System v4. Cross Site Scripting (XSS)

Additionally, more information on the issue can be found on the CVE repository

- CVE-2021-35388 - National Vulnerability Database (NVD)

Mitigation

To mitigate this vulnerability, it is essential to apply proper input validation and encoding of user-supplied data before incorporating it into the application. Additionally, it is crucial to follow best security practices in web application development, adhere to the principle of least privilege, and keep software up-to-date with the latest security patches and updates.

Conclusion

CVE-2021-35388 is a significant security vulnerability affecting Hospital Management System v4.. It is vital for healthcare organizations using this software to take immediate steps to remediate the issue. By understanding the problem, its root causes, and the potential damage caused by this vulnerability, stakeholders in the healthcare sector can better protect their assets and ultimately ensure the safety and well-being of their patients.

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:33:00 UTC