Details

    • Type: Technical task
    • Status: Accepted
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Complexity:
      Undetermined

      Description

      Patient names aren't sanitized before being injected into code. This is a serious vulnerability; a malicious user could do this (only one of the scenarios that I could think of). These are also steps to reproduce:

      1. Login to devtest02 or another recent installation
      2. Create a new patient. Fill in all other fields normally, but set the first name to |"); Bob| (take everything between the |'s)
      3. Now the fun part. Since this user input is used directly in JavaScript on the page, and since we just created that patient, they show up on the patient search page. Since this causes the javascript to completely break, the patient search page doesn't work.

      This is only one terrible thing one could do with this vulnerability. A person could also, conceivably, log user's IP addresses by sending a request to a remote URL. The only limit is the 50-character limit on the field.

      Here's how it breaks the patient search page:

      Normally, the page generates a script like this to add each patient:

      lastViewedPatients.push({uuid:"027871ca-42c2-4a03-8bd4-47a407af7bc0",fullName:"Imran Tatriev",gender:"M",
              age:"", birthdate:"01-Jan-15",
              birthdateEstimated: false, identifier:"10008D"});
      

      However, since the full name isn't sanitized before being put into the code, we can craft a string that makes this happen:

      lastViewedPatients.push({uuid:"ea9cd353-0aec-4c30-837e-5afa91c7fb13",fullName:""); Bob sdf",gender:"M",
              age:"24", birthdate:"02-Feb-90",
              birthdateEstimated: false, identifier:"1000LL"});
      

      Which isn't valid JS, and causes a Uncaught SyntaxError: Unexpected token ). This then breaks the entire patient search page.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dkayiwa Daniel Kayiwa
                Reporter:
                parkererway Parker Erway
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: