Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3931

Multiple Stored XSS via Patient Name

    XMLWordPrintable

Details

    • Medium

    Description

      The create patient flow is allows stored XSS when using the following
      name (script is executed when loading mdrtbEditPatient.form, and
      potentially other pages that display the patient name).
      "><script>alert("xss")</script>

      Other places where patient/user name injects script:
      module/reporting/reports/reportHistory.form (xss in automatically populated into the "Requested By" dropdown)
      admin/users/user.form (Which Person? textbox autocomplete fires it)
      admin/encounters/encounter.form (same dropdown as above. Just fix this control)
      patientDashboard.form (multiple places where the name is displayed. Main page, demographics tab.
      Every page when logged in as the xss username ("Currently logged in as <script>..") (meh..)
      Privilege escalation scenario:
      Setup: Admin creates "Person" record and links it to a User account.
      1. User can change his/her name to include an XSS string (steal session cookie)
      2. User gets admin to visit their "Person" profile, i.e.
      admin/person/person.form?personId=93483. Script could steal admin
      cookie and send it to a malicious url.

      This issue was originally reported by: Kevin Jacobs

      Gliffy Diagrams

        Attachments

          1. create_patient_error.png
            67 kB
            Akash Agrawall
          2. create_patient_output.png
            93 kB
            Akash Agrawall
          3. create_patient_output1.png
            110 kB
            Akash Agrawall
          4. TRUNK - 3931 Pic.PNG
            16 kB
            Robert Day

          Activity

            People

              marv Marvin Frick
              sgithens Steven Githens
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 4 hours Original Estimate - 4 hours
                  4h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 6 hours
                  6h