CVE-2020-28403
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in Star Practice Management Web allows attackers to change user privileges, including granting themselves administrative access or removing existing admin accounts. This affects all users of Star Practice Management Web version 2019.2.0.6. Attackers can exploit this by tricking authenticated users into visiting malicious web pages.
💻 Affected Systems
- Star Practice Management Web
📦 What is this software?
Star by Iris
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the application with attacker gaining administrative privileges, ability to delete legitimate admin accounts, and full control over all practice management data and functions.
Likely Case
Attacker elevates their own privileges to administrator level, gaining unauthorized access to sensitive patient and practice data, with potential for data theft or manipulation.
If Mitigated
With proper CSRF protections and user awareness, exploitation attempts fail, maintaining normal application security and user privilege separation.
🎯 Exploit Status
Exploitation requires the victim to be authenticated and visit a malicious page. CSRF attacks are well-understood and easily weaponized with basic web development skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2019.2.0.7 or later
Vendor Advisory: https://www.starpracticemanagement.com/
Restart Required: Yes
Instructions:
1. Download the latest version from Star Practice Management website. 2. Backup current installation and data. 3. Run the installer to upgrade to version 2019.2.0.7 or later. 4. Restart the application services.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd anti-CSRF tokens to all privilege-changing forms and validate them server-side.
Implementation requires code changes to the application, not command-line executable.
SameSite Cookie Attribute
allSet SameSite=Strict or SameSite=Lax attributes on session cookies to prevent cross-site requests.
Set-Cookie: sessionid=xxx; SameSite=Strict; Secure; HttpOnly
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF attempts targeting privilege escalation endpoints.
- Educate users about phishing risks and implement strict access controls with principle of least privilege.
🔍 How to Verify
Check if Vulnerable:
Check application version in Help > About menu. If version is exactly 2019.2.0.6, the system is vulnerable.Check Version:
Check via application GUI: Help > About menu in Star Practice Management Web interface.Verify Fix Applied:
Verify version is 2019.2.0.7 or higher in Help > About menu. Test privilege change forms for presence of CSRF tokens.📡 Detection & Monitoring
Log Indicators:
- Multiple privilege escalation attempts from same user in short time
- Admin role changes from non-admin users
- Failed CSRF token validation errors
Network Indicators:
- HTTP POST requests to user privilege endpoints without Referer headers matching origin
- Cross-origin requests to administrative functions
SIEM Query:
source="star-practice-logs" AND (event_type="user_role_change" OR uri_path="/admin/privileges") | stats count by src_ip, user