Difference between revisions of "Security Alert Fixes"

Revision as of 22:33, 19 February 2013

Place to record and track OpenEMR security alerts and their fixes:

The first two items likely still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
The last 2 items will be fixed in next 4.1.1 patch and dev version.

Still unable to confirm, but first two calendar items still likely exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.

http://secunia.com/advisories/46560/
There are three items here. The third item has been fixed, however, unsure of the first two.
The second item has been fixed and committed to the dev branch and is in the most recent 4.1.1 patch.
The first item likely still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.

Security exploit: (Multiple Local File Inclusion and arbitrary command execution vulnerabilities)

http://secunia.com/advisories/52145/
The first item is same as the arbitrary file upload vulnerability item reported above and has been fixed in most recent 4.1.1 patch and dev version.
The second item still exists. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
The third item is fixed in most recent 4.1.1 patch and dev version.
The fourth item still exists. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
The fifth item will be fixed in next 4.1.1 patch and dev version.
The sixth item will be fixed in next 4.1.1 patch and dev version.
The seventh item is fixed in most recent 4.1.1 patch and dev version.

@@ Line 9: / Line 9: @@
 ::*http://packetstormsecurity.org/files/103810
 ::*There are 4 items here.
-:::*The first two items still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
+:::*The first two items likely still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
 :::*The last 2 items will be fixed in next 4.1.1 patch and dev version.
-The last two are in messages.php which now uses the new security model, so should be fixed. The first two use calendar/index.php which I do not think has been addressed. Note, however, that the provided POC links do not reproduce the vulnerability (meaning I can't reproduce the vulnerabilities).
 ::*Still unable to confirm, but first two calendar items still likely exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
 :*Security exploit: (Multiple sql-injection)