Re: [openemr:discussion] OpenEMR 4.1.2

OpenEMR Development
1

dokellie wrote on Friday, June 28, 2013:

“if users need to harden their security”… This program and the data within it need to b as secure as possible. If i have to physically double lock hard copies of pt info within my office then my software has to have similar protection.

Sent from Samsung Mobile

-------- Original message --------
Subject: [openemr:discussion] OpenEMR 4.1.2
From: Brady Miller bradymiller@users.sf.net
To: “[openemr:discussion]” 202506@discussion.openemr.p.re.sf.net
CC:

Hi,

Upgraded it to phpmyadmin 4.0.4 (most current productions release). Here is the branch:

To be clear, I did it in 4 different commits(see the branch):
Commit 1: Removed old phpmyadmin
Commit 2: Unzipped phpmyadmin 4.0.4 (All Languages Version) without any modifications
Commit 3: Integrated it into OpenEMR with some minor work
Commit 4: Fixed a bug in acl.inc library, so now users besides ‘admin’ can use phpmyadmin (there were scope issues, surprised we weren’t getting bug reports on this…)

Thoughts here? This is a very frequently used tool by DIY and international users. At this point all I have heard from professionals and vendors via forum posts and private email is how we should simply remove this tool, which are then followed by proposals (ie. no work, just talk) on how to the fill the gap. We can always recommend users to remove on the wiki Security page if users need to harden their security on the wiki Security page, which all instruction manuals point to.

Also want to separate two issues here.

  1. One is security. There is a reasonable argument here that including any scripts into the codebase (such as phpmyadmin) does bring in potential for security vulnerabilities (which is why it is very reasonable to recommend removing this on the Security wiki page for users whom need to harden their instance).
  2. One is limiting the autonomony of the user. Meaning, the argument of removing tools so the (usually new) user isn’t able to do some really damaging things. With this argument, we might as well then yank all of the Administration->Lists from plain sight since messing with these can break OpenEMR and degrade the patient data.

-brady
OpenEMR

OpenEMR 4.1.2

Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/openemr/discussion/202506/

To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

2

tmccormi wrote on Friday, June 28, 2013:

I did the work of removing it and providing an outside configuration option
this week, I’m just testing it and I will push the code to my github this
evening. It’s very easy to install PHPMyadmin separately, is too much
work (that only Brady seems to do) keep it updated inside OpenEMR. We
need to reduce OpenEMRs foot print, this would be a first step to making
some standardized packages optional dependencies. More modular plugin
integration, less trying to ship everything for every body in one big, hard
to maintain hunk.

Tony McCormick, CTO
Medical Information Integration, LLC

Direct: 713-574-6709, cell 503-330-2239
Office: 866-735-0897
@MI2_OpenEMR

On Fri, Jun 28, 2013 at 5:52 AM, Linda E. Hungerford, M.D. <
dokellie@users.sf.net> wrote:

“if users need to harden their security”… This program and the data
within it need to b as secure as possible. If i have to physically double
lock hard copies of pt info within my office then my software has to have
similar protection.

Sent from Samsung Mobile

-------- Original message --------
Subject: [openemr:discussion] OpenEMR 4.1.2
From: Brady Miller bradymiller@users.sf.net
To: “[openemr:discussion]” 202506@discussion.openemr.p.re.sf.net
CC:

Hi,

Upgraded it to phpmyadmin 4.0.4 (most current productions release). Here
is the branch:
Commits · bradymiller/openemr · GitHub

To be clear, I did it in 4 different commits(see the branch):
Commit 1: Removed old phpmyadmin
Commit 2: Unzipped phpmyadmin 4.0.4 (All Languages Version) without any
modifications
Commit 3: Integrated it into OpenEMR with some minor work
Commit 4: Fixed a bug in acl.inc library, so now users besides ‘admin’ can
use phpmyadmin (there were scope issues, surprised we weren’t getting bug
reports on this…)

Thoughts here? This is a very frequently used tool by DIY and
international users. At this point all I have heard from professionals and
vendors via forum posts and private email is how we should simply remove
this tool, which are then followed by proposals (ie. no work, just talk) on
how to the fill the gap. We can always recommend users to remove on the
wiki Security page if users need to harden their security on the wiki
Security page, which all instruction manuals point to.

Also want to separate two issues here.

  1. One is security. There is a reasonable argument here that including any
    scripts into the codebase (such as phpmyadmin) does bring in potential for
    security vulnerabilities (which is why it is very reasonable to recommend
    removing this on the Security wiki page for users whom need to harden their
    instance).
  2. One is limiting the autonomony of the user. Meaning, the argument of
    removing tools so the (usually new) user isn’t able to do some really
    damaging things. With this argument, we might as well then yank all of the
    Administration->Lists from plain sight since messing with these can break
    OpenEMR and degrade the patient data.

-brady
OpenEMR

OpenEMR 4.1.2

Sent from sourceforge.net because you indicated interest in
OpenEMR / Discussion / Developers

To unsubscribe from further messages, please visit
SourceForge.net: Log In to SourceForge.net

Sent from sourceforge.net because you indicated interest in
OpenEMR / Discussion / Developers

To unsubscribe from further messages, please visit
SourceForge.net: Log In to SourceForge.net

3

bradymiller wrote on Saturday, June 29, 2013:

These posts are from this thread:
http://sourceforge.net/p/openemr/discussion/202506/thread/a415cf97/

4

bradymiller wrote on Saturday, June 29, 2013:

Hi Linda,

OpenEMR is not fully secure out of the box and the community does not pretend it is(BTW, no LAMP based package is fully secure out of the box). A user needs to configure/“harden” their installation of OpenEMR, which is discussed here:
http://www.open-emr.org/wiki/index.php/Securing_OpenEMR

-brady
OpenEMR

5

bradymiller wrote on Saturday, June 29, 2013:

Hi Tony,

Do you plan on providing documentation on how users can easily securely install phpmyadmin on their servers? (note that it is generally recommended to harden phpmyadmin via apache authentication) I would actually argue that the phpmyadmin that is in OpenEMR is actually more secure than a phpmyadmin instance that a typical OpenEMR end user would blatantly install on their server. Your idea is fine, but there is way more work to be done than removing it and pointing the link to another phpmyadmin instance (ie. lots of documentation and testing); my suggestion is that we keep the new version of phpmyadmin in the 4.1.2 release and consider having both methods available in development version(and then trial removing it) for 4.1.3 (and then would have time to fill in the gaps that will be missed by not embedding it).

-brady
OpenEMR

6

bradymiller wrote on Saturday, June 29, 2013:

Also,

Regarding the “(that only Brady seems to do)”, this extends way beyond phpmyadmin(ie. phpmyadmin is not some pet project I have that I am trying to keep alive). I am generally stuck (this is a strong term, because I actually enjoy doing this) doing most things that are not a feature worth paying for, but important for the project (ie. maintenance and code walk throughs).

-brady
OpenEMR