Uploaded image for project: 'TB Module'
  1. TB Module
  2. TB-1

Reflected XSS in Patient Display

    XMLWordPrintable

Details

    • Low

    Description

      This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:

      https://mdrtbdemo.pih-emr.org/openmrs/module/mdrtb/mdrtbListPatients.form?name=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&identifier=&location=&enrolledOnOrAfter=&enrolledOnOrBefore=&enrollment=ever&displayMode=basic

      Expected behavior: characters in the URL request should be escaped

      Observed behavior: name parameter from URL is interpreted and rendered as HTML allowing for XSS reflection (note: Chrome will detect script matching script in the URL and block it, but an error can be seen in the console; other browsers will let it through)

      Gliffy Diagrams

        Attachments

          Activity

            People

              jnsereko Joshua Nsereko
              burke Burke Mamlin
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Time Spent - 1 hour Remaining Estimate - 3 hours
                  3h
                  Logged:
                  Time Spent - 1 hour Remaining Estimate - 3 hours
                  1h