Securing openemr

@brady.miller

So I am looking into securing my openemr install, the wiki lists many directories for removal. I am not able to find phpmyadmin. there are long threads regarding removal. It’s a lot of reading. Was it removed then? I am assuming so since I am not finding it in my install.
Also, Tests is /interface/patient_file/encounter/Tests? There are many tests folders in the vendor directories. I don’t want to block access to the wrong directories.

https://www.open-emr.org/wiki/index.php/Securing_OpenEMR

Thanks

Sandra

Sandra, we pulled phpMyAdmin from 5.0.1, so you don’t have to worry about that bit, at least.

@robert.down ,
Just checking what this is?
openemr/ViewHelperTest.php at master · openemr/openemr · GitHub

@gutiersa ,
The Tests directory is meant to just point out removal of the root Tests directory (note none of the code there should be vulnerable, but it is not needed for OpenEMR, so best to remove it)

Actually it is now tests (lowercase was changed from Tests awhile back; will change that on the wiki)

btw @gutiersa ,
Looks like we’ll need a nginx section on that security wiki page

@brady.miller
sure, or maybe a link to:
https://www.open-emr.org/wiki/index.php/OpenEMR_with_nginx_and_php-fpm

?

Regarding the tests folder, I can just block access to all tests folders, lower and upper case.

Can’t speak for any test folders I haven’t touched, but theoretically yes, all tests folders should be able to be blocked without concern. I’d be surprised and concerned if we have live code in a test folder.

@brady.miller
ok, done
I added an Nginx section in the Securing openemr page, with a link to the new OpenEMR, Nginx and PHP-FPM page.

@robert.down
@brady.miller
well then, in nginx all the directories, anywhere, named tests can be blocked by default.