Uploaded image for project: 'Reference Application'
  1. Reference Application
  2. RA-452 XSS vulnerabilities in Ref App 2.x
  3. RA-545

Patient names aren't sanitized, enabling malicious activity

    XMLWordPrintable

    Details

    • Type: Technical task
    • Status: Approved
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Complexity:
      Undetermined
    • Sprint:
      Ref App 2.11 Release Sprint 3, Ref App 2.12 Priorities

      Description

      Patient names aren't sanitized before being injected into code. This is a serious vulnerability; a malicious user could do this (only one of the scenarios that I could think of). These are also steps to reproduce:

      1. Login to devtest02 or another recent installation
      2. Create a new patient. Fill in all other fields normally, but set the first name to |"); Bob| (take everything between the |'s)
      3. Now the fun part. Since this user input is used directly in JavaScript on the page, and since we just created that patient, they show up on the patient search page. Since this causes the javascript to completely break, the patient search page doesn't work.

      This is only one terrible thing one could do with this vulnerability. A person could also, conceivably, log user's IP addresses by sending a request to a remote URL. The only limit is the 50-character limit on the field.

      Here's how it breaks the patient search page:

      Normally, the page generates a script like this to add each patient:

      lastViewedPatients.push({uuid:"027871ca-42c2-4a03-8bd4-47a407af7bc0",fullName:"Imran Tatriev",gender:"M",
              age:"", birthdate:"01-Jan-15",
              birthdateEstimated: false, identifier:"10008D"});
      

      However, since the full name isn't sanitized before being put into the code, we can craft a string that makes this happen:

      lastViewedPatients.push({uuid:"ea9cd353-0aec-4c30-837e-5afa91c7fb13",fullName:""); Bob sdf",gender:"M",
              age:"24", birthdate:"02-Feb-90",
              birthdateEstimated: false, identifier:"1000LL"});
      

      Which isn't valid JS, and causes a Uncaught SyntaxError: Unexpected token ). This then breaks the entire patient search page.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                dkayiwa Daniel Kayiwa
                Reporter:
                parkererway Parker Erway
                Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: