Uploaded image for project: 'Reference Application'
  1. Reference Application
  2. RA-452

XSS vulnerabilities in Ref App 2.x

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      There is several pages in the RA that are vulnerable to XSS attacks, a vulnerability can be reproduced when creating a patient and the JS is specified in the surname and address fields, see https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698https://talk.openmrs.org/t/xss-still-possible-in-registration-summary-edit-section-page/26729 and several other pages under 'Configure Metadata' and 'System Administration' apps.

      There is more vulnerabilities mentioned at http://packetstormsecurity.com/files/128748

      Would be worth it to investigate other vulnerable areas in the UI

      Acceptance Criteria

      1. The page https://wiki.openmrs.org/x/h5UvAg should have a section documenting how to escape user-entered content using UiUtils.escape* methods, and examples
      2. The specific vulnerability mentioned in https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698 is fixed
      3. A new ticket exists to go through the whole 2.x UI and clean up XSS vulnerabilities

      Process Notes

      We should create subtasks for (groups of) vulnerabilities, and let people fix them in parallel.

        Gliffy Diagrams

          Attachments

          1. 2020-04-07_14-23_1.png
            2020-04-07_14-23_1.png
            176 kB
          2. 2020-04-07_14-23.png
            2020-04-07_14-23.png
            17 kB

            Issue Links

              Activity

                People

                Assignee:
                samuel34 Samuel Male
                Reporter:
                wyclif Wyclif Luyima
                Votes:
                3 Vote for this issue
                Watchers:
                17 Start watching this issue

                  Dates

                  Created:
                  Updated:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 5 hours
                    5h