Difference between revisions of "Security Alert Fixes"

From OpenEMR Project Wiki
Line 8: Line 8:
:*Security exploit: (Multiple cross-site scripting)
:*Security exploit: (Multiple cross-site scripting)
::*http://packetstormsecurity.org/files/103810
::*http://packetstormsecurity.org/files/103810
::*There are 4 items here. The last two are in messages.php which now uses the new security model, so should be fixed. The first two use calendar/index.php which I do not think has been addressed. Note, however, that the provided POC links do not reproduce the vulnerability (meaning I can't reproduce the vulnerabilities).
::*There are 4 items here.
:::*The first two items still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
:::*The last 2 items will be fixed in next 4.1.1 patch and dev version.
The last two are in messages.php which now uses the new security model, so should be fixed. The first two use calendar/index.php which I do not think has been addressed. Note, however, that the provided POC links do not reproduce the vulnerability (meaning I can't reproduce the vulnerabilities).
::*Still unable to confirm, but first two calendar items still likely exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
::*Still unable to confirm, but first two calendar items still likely exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
:*Security exploit: (Multiple sql-injection)
:*Security exploit: (Multiple sql-injection)

Revision as of 22:33, 19 February 2013

Place to record and track OpenEMR security alerts and their fixes:

  • Fixed in most recent 4.0.0 patch and dev version
  • Fixed in most recent 4.0.0 patch and dev version
  • This link is dead. Bradymiller 20:04, 30 November 2012 (UTC)
  • Security exploit: (Multiple cross-site scripting)
  • The first two items still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
  • The last 2 items will be fixed in next 4.1.1 patch and dev version.

The last two are in messages.php which now uses the new security model, so should be fixed. The first two use calendar/index.php which I do not think has been addressed. Note, however, that the provided POC links do not reproduce the vulnerability (meaning I can't reproduce the vulnerabilities).

  • Still unable to confirm, but first two calendar items still likely exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
  • Security exploit: (Multiple sql-injection)
  • http://secunia.com/advisories/46560/
  • There are three items here. The third item has been fixed, however, unsure of the first two.
  • The second item has been fixed and committed to the dev branch and is in the most recent 4.1.1 patch.
  • The first item likely still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
  • Security exploit: (One sql-injection)
  • Security exploit: (One sql-injection)
  • Security exploit: (Multiple Local File Inclusion and arbitrary command execution vulnerabilities)
  • Security exploit: (arbitrary file upload vulnerability)
  • Security exploit: (Multiple Vulnerabilities)
  • http://secunia.com/advisories/52145/
  • The first item is same as the arbitrary file upload vulnerability item reported above and has been fixed in most recent 4.1.1 patch and dev version.
  • The second item still exists. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
  • The third item is fixed in most recent 4.1.1 patch and dev version.
  • The fourth item still exists. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
  • The fifth item will be fixed in next 4.1.1 patch and dev version.
  • The sixth item will be fixed in next 4.1.1 patch and dev version.
  • The seventh item is fixed in most recent 4.1.1 patch and dev version.