Uploaded image for project: 'TB Module'
  1. TB Module
  2. TB-1

Reflected XSS in Patient Display

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:

      https://mdrtbdemo.pih-emr.org/openmrs/module/mdrtb/mdrtbListPatients.form?name=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&identifier=&location=&enrolledOnOrAfter=&enrolledOnOrBefore=&enrollment=ever&displayMode=basic

      Expected behavior: characters in the URL request should be escaped

      Observed behavior: name parameter from URL is interpreted and rendered as HTML allowing for XSS reflection (note: Chrome will detect script matching script in the URL and block it, but an error can be seen in the console; other browsers will let it through)

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              burke Burke Mamlin
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Remaining Estimate - 4 hours
                  4h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified