Details
-
Type:
Bug
-
Status: Code Review (Initial)
-
Priority:
Should
-
Resolution: Unresolved
-
Affects Version/s: Reference Application 2.10.0
-
Fix Version/s: None
-
Component/s: Security
-
Labels:
-
Complexity:Low
-
Sprint:Ref App 2.11 Release Sprint 3, Ref App 2.12 Priorities
Description
There is several pages in the RA that are vulnerable to XSS attacks, a vulnerability can be reproduced when creating a patient and the JS is specified in the surname and address fields, see https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698, https://talk.openmrs.org/t/xss-still-possible-in-registration-summary-edit-section-page/26729 and several other pages under 'Configure Metadata' and 'System Administration' apps.
There is more vulnerabilities mentioned at http://packetstormsecurity.com/files/128748
Would be worth it to investigate other vulnerable areas in the UI
Acceptance Criteria
- The page https://wiki.openmrs.org/x/h5UvAg should have a section documenting how to escape user-entered content using UiUtils.escape* methods, and examples
- The specific vulnerability mentioned in https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698 is fixed
- A new ticket exists to go through the whole 2.x UI and clean up XSS vulnerabilities
Process Notes
We should create subtasks for (groups of) vulnerabilities, and let people fix them in parallel.
Gliffy Diagrams
Attachments
1.
|
Patient names aren't sanitized, enabling malicious activity |
![]() |
Approved | Daniel Kayiwa |
2.
|
XSS on phone number field |
![]() |
Approved | Daniel Kayiwa |
3.
|
Stored XSS in Patient Address |
![]() |
Approved | Daniel Kayiwa |
4.
|
Stored XSS in name and description fields in reports |
![]() |
Approved | Daniel Kayiwa |
5.
|
Stored XSS in appointment types |
![]() |
Approved | Daniel Kayiwa |
6.
|
Stored XSS in locations |
![]() |
Approved | Daniel Kayiwa |
7.
|
Stored XSS in telephone number field |
![]() |
Approved | Ian Bacher |
8.
|
Stored XSS in Diagnoses section of patient.page |
![]() |
Approved | Daniel Kayiwa |
9.
|
Reflected XSS in returnUrl parameter |
![]() |
Approved | Moses Mutesasira |
10.
|
escapeJs vulnerable to XSS |
![]() |
Ready for Work | Unassigned |
11.
|
XSS attack in toast messages after patient registrationion |
![]() |
Approved | Wyclif Luyima |
12.
|
XSS attack in toast messages after patient visit |
![]() |
Approved | Wyclif Luyima |
13.
|
Reflected XSS reported by Sarah Elder |
![]() |
Approved | Ian Bacher |
14.
|
Stored XSS in Appointment Scheduling UI |
![]() |
Approved | Ian Bacher |