Uploaded image for project: 'TB Module'
  1. TB Module
  2. TB-1

Reflected XSS in Patient Display

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:

      https://mdrtbdemo.pih-emr.org/openmrs/module/mdrtb/mdrtbListPatients.form?name=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&identifier=&location=&enrolledOnOrAfter=&enrolledOnOrBefore=&enrollment=ever&displayMode=basic

      Expected behavior: characters in the URL request should be escaped

      Observed behavior: name parameter from URL is interpreted and rendered as HTML allowing for XSS reflection (note: Chrome will detect script matching script in the URL and block it, but an error can be seen in the console; other browsers will let it through)

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            burke Burke Mamlin
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:

                Time Tracking

                Estimated:
                Original Estimate - 4 hours
                4h
                Remaining:
                Remaining Estimate - 4 hours
                4h
                Logged:
                Time Spent - Not Specified
                Not Specified