/
2013-03-21 Developers Forum

2013-03-21 Developers Forum

Apr 27, 2016

Date

03/21/2013

How to Join

 

Click here for information about joining the meeting in person or remotely.

 

By Browser

By telephone

  • US telephone number: +1 201.479.2627

Agenda

  • Quickly review previous meeting minutes (5 min)

  • OpenMRS Security – reviewing feedback from January 2013 FLOSSHacks event

  • After-action review & next week's agenda (5 min)

In Attendance

  • You

Minutes

Developers Forum 2013-03-21

Recording: http://connect.iu.edu/p7gc1kmy1go/

Agenda

  • OpenMRS Security – reviewing feedback from FLOSSHacks event

Attendees

  • Michael Downey

  • Burke Mamlin

  • Nyoman Ribeka

  • Daniel Kayiwa

  • Saptarshi Purkayastha

  • Steve Githens

  • Wyclif Luyima

  • Andrea Patterson

  • Bryan Adams ♬

  • Darius Jazayeri

  • Paul Biondich

  • Lauren Stanisic

  • Ada Yeung

Minutes

http://cve.mitre.org

http://cve.mitre.org/cgi-bin/cvename.cgi?name=***

Vulnerabilities

===============

XSS

* Patient Display

* Patient Name

* Dimension Name

* Concept Name

* Form Fields name/description

* Locations

Sessions

* JSESSIONIDs exposed in URL

* JSESSIONID assigned before login, used as session cookie after login.

* Lack of HTTPOnly flag on JSESSIONID cookies

Runtime Properties

* Created as world readable

* Unsafe location (/usr/share/tomcat7/.OpenMRS/ is bad, /var/lib/tomcat7/webapps/openrmrs/ would be better)

Passwords

* Forgotten Password Form leaks valid usernames

* Weak login brute force mitigation + bug in parsing security.loginAttemptsAllowedPerIP

SQL Injection

* ConceptValidatorChangeSet.isNameUniqueInLocale

XXE

* UpdateFileParser.java

________________________________

Vulnerabilities

===============

=== Issue #1: Reflected XSS in Patient Display ===

Credit: Kevin Jacobs

[http://cve.mitre.org/cgi-bin/cvename.cgi?name= ]