bradymiller wrote on Wednesday, February 29, 2012:
Hi,
Just checked in following commit into sourceforge to implement the security model in the Drug Dispensory Module: http://github.com/openemr/openemr/commit/67c82076f8af6ca08009a8948641e57cc0b8bd90
-brady
bradymiller wrote on Tuesday, May 01, 2012:
Hi,
Here’s a commit to convert lots of the billing (and the calendar add_edit_event.php script) to the new security model). Is testing well. Please feel free to review/test:
http://github.com/bradymiller/openemr/commits/secure-billing_3
-brady
OpenEMR
bradymiller wrote on Thursday, December 27, 2012:
Hi,
Here is the commit to convert the LBF form scripts to the new security model, which was committed to sourceforge awhile back:
http://github.com/openemr/openemr/commit/61c95e62f79ad2afb68a2e8b1f81e3cca20b99ea
-brady
OpenEMR
bradymiller wrote on Sunday, March 10, 2013:
Hi,
Two things:
1. Although the above binding/escaping strategy works well for parameters it does not work well for other sql items. So, updated this security model to escape limit numbers, other sql keys (asc,desc) and sql_identifiers. The first link is the code that committed to sourceforge and the second link is to the updated wiki page:
http://github.com/openemr/openemr/commit/f33c777e8dcef6eb44dbfae6f44ab8d62c372dae
http://www.open-emr.org/wiki/index.php/Codebase_Security#SQL-Injection_and_Cross-Scripting_Prevention
2. I am beginning to build a bit on the item above in order to explicitly escape the table names and sql column names via whitelisting(the goal is to use whitelisting rather than “sanitization” since it seems much cleaner that way and keeps things more compartmentalized). Here’s the code, so can follow the direction I am going in (note this code is not yet fully tested):
http://github.com/bradymiller/openemr/commit/bde37a78d6ba9dbd35fcfa781c16819d5472e406
-brady
OpenEMR
bradymiller wrote on Saturday, March 16, 2013:
Hi everybody,
Here’s a commit that effectively whitelists sql columns and table names to not allow sql injection when using them as parameters. I also incorporated this into the Messages module along. Additionally, I incorporated this (and other components of the security model) into the Forms module and specifically converted the Dication and Work/School form. Testing well so far. Please review/test and let me know your thoughts on this:
http://github.com/bradymiller/openemr/commit/ecc7156e7027172ec06ff9807b0c89bc65bd12c8
-brady
OpenEMR
bradymiller wrote on Saturday, March 16, 2013:
oops,
Provided the wrong github link above. Here is the correct link to the commit(the one above has several bugs):
http://github.com/bradymiller/openemr/commit/3cc7e6e094a92a2c13825ec9abb2d03a80c522d1
-brady
tmccormi wrote on Sunday, March 17, 2013:
Brady,
Thanks for the good work! I have a question, however:
How exactly are we supposed to test this? I have no idea how to attempt to inject SQL or XSS code…. Is there a test plan you have in mind?
Tony
www.mi-squared.com / @tonymi2
oemr.org / @OEMR_org
bradymiller wrote on Sunday, March 17, 2013:
Hi Tony,
I have no official testing plan. In regards to the sql-injection and cross-scripting with, we should now hopefully have the elements/functions in place to secure this. Now, the code needs to be continued to be walked through and secured a module/script at a time.
A sql injection vector I used to play around in the messages module is the following(a white hat provided it), which will time out mysql for a bit (can test it by placing it within the possible get parameters in the messages script):
(case(select 1 and 1=sleep(5)) when 1 then pnotes.title end)
For cross-scripting, this is easier, just place(either place it in the get parameters of script or enter it into the forms):
<script>alert(“hey”)</script>
And if a pop up stating “hey” shows up(on the screen if place in a get parameter or when the form is shown when enter it into a form), then it is a vulnerability.
To test on a global level, would need a group or somebody to do a scan/analysis at some point in the future after the walk code walk through is complete. We could always ask Tim about that (ie. what is needed and the resources it takes etc.) in the conference call this week.
-brady
OpenEMR
bradymiller wrote on Sunday, March 17, 2013:
Hi,
Although I haven’t committed the code yet, I updated the instructions for these new function (They are all in Step 3):
http://www.open-emr.org/wiki/index.php/Codebase_Security#SQL-Injection_and_Cross-Scripting_Prevention
-brady
OpenEMR
robertrambo wrote on Sunday, March 17, 2013:
Hello Brady,
As you know im a big fan of all the great work you do here for OpenEMR
May I suggest that you set up a test server and let us pen test on it?
I was interested in using the demo but as you know admin and pass are going to be guessed off the get go!
If you set it all up with unknown variable’s we will have our poc if someone gains access.
Or downloads PHI from database
Do you have any ideas about a simulating a war game on the software platform?
-Rob
robertrambo wrote on Sunday, March 17, 2013:
DVWA
Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
http://www.dvwa.co.uk/
bradymiller wrote on Monday, March 18, 2013:
Hi,
The above code is testing very well, so I just committed it to sourceforge.
Regarding the test server, sounds like a good idea, although I don’t have the time to set it up. But anybody else can set up one. I’d be rather surprised if there are any pre-authentication vulnerabilities, but anything is possible. And of course, if anybody finds any, please let us know. The current sql-injection and cross-scripting vulnerabilities in OpenEMR are post-authentication vulnerabilities (meaning, one needs to be logged into OpenEMR to do harm). There are still a lot of these in OpenEMR and there is still lots of legacy code to convert over to the new security module. Hopefully others will begin to join in on the code walk through to convert the legacy code to the new security model (it’s something I’ve been doing off/on for the last 3 years (the lifespan of this forum thread), but there’s still a lot more code to convert).
-brady
OpenEMR
visolveemr wrote on Monday, March 18, 2013:
Brady,
We would like to use following tools to test OpenEMR security.
1. Netsparker community edition 2.3.0.18 for detecting ClearText password submission and Cross site scripting
2. XSS-Me is a firefox add-on for Cross Site Scripting Testing
3. SQL-Me is a firefox add-on for SQL injection testing
4. SQLMap 0.9 for SQL Injection testing
5. ZAP tool for Cross site scripting
Like Rob suggested, we would like to have test server configured correctly so that the real security issues will get revealed
Thanks,
ViSolve
services@visolve.com
bradymiller wrote on Monday, March 18, 2013:
Hi Visolve,
Sounds like a good plan. Looking forward to see how OpenEMR fares on your testing (I am guessing that the cross-scripting/sql injection list will be long; it will also be very useful to see if there are any of these vulnerabilities in the code that uses the new security model).
-brady
OpenEMR
visolveemr wrote on Monday, March 18, 2013:
Sure Brady. Please do let us know once the test server is configured.
We suppose it will take a week to post the results.
-ViSolve
services@visolve.com
bradymiller wrote on Monday, March 18, 2013:
Hi Visolve,
I don’t have the time to set up an online test server and am a bit unclear what the configuration settings of the test server should be. Will just installing the most recent OpenEMR development branch locally on your server suffice for your testing?
-brady
OpenEMR
visolveemr wrote on Tuesday, March 19, 2013:
Brady,
Sure will set up the local environment and will let you know.
-ViSolve
services@visolve.com
robertrambo wrote on Wednesday, March 20, 2013:
Hello,
Folder of interest on domain below " / " (Strictly related to security “phpbb” unreleased patches)
allow index (soon to go away)
http://openemr.bugs3.com/flashvortex.swf “Just a domain marker for the time being”
Maybe more one day I need some dedicated server space with high bandwidth allowances…
I will let you know when I move to production on this its development stage now.
personal test site (offline)
Feel free to join the private discussion add your own
robertrambo wrote on Friday, March 22, 2013:
Hello
Just wanted to post some thing I came across late last night
New generation of BackTrack
http://www.kali.org/
Have not tried it yet maybe this weekend when I have some time
-Rob
BTW
This is what they are saying about it!
From the creators of BackTrack comes Kali Linux, the most advanced and versatile penetration testing distribution ever created. BackTrack has grown far beyond its humble roots as a live CD and has now become a full-fledged operating system. With all this buzz, you might be asking yourself: - What’s new ?
visolveemr wrote on Tuesday, April 30, 2013:
Report of the ZAP tool has been posted in the following thread
http://sourceforge.net/p/openemr/discussion/202506/thread/7ba71fad/?limit=25#021c/76d6
–Devi
ViSolve