Security Vulnerability

bradymiller wrote on Thursday, February 14, 2013:

Hi,

The following security vulnerability was posted yesterday:
http://packetstormsecurity.com/files/120274/OpenEMR-4.1.1-Shell-Upload.html

Likely just Windows servers will be affected, however recommend the following on all OpenEMR installations:

1. If using OpenEMR 4.1.1, then update to the most recent patch here (or follow option 2 below):
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

2. If using OpenEMR 4.1.0 or below, then recommend removing the following file and directory from your openemr installation:
FILE: openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php
DIRECTORY: openemr/library/openflashchart/tmp-upload-images/
(the directory should not exist, but if it does, then remove it)

-brady
OpenEMR

yehster wrote on Thursday, February 14, 2013:

Googling “openflash chart security exploit”
reveals that the vulnerability has been around in Open Flash Chart for several years. (at least since 2009).

I can’t easily tell if Open Flash Chart version 2 still has this vulnerability or not.

This is an example of why we need to be cautious when including new “external” libraries.

Dr. Eschelbacher asked in another thread, what’s the difference between including jQuery in the OpenEMR official tree vs. Zend Framework?  Here is one significant difference.  jQuery is pure javascript , so it never “runs on the server.”  If we include PHP libraries like this, we are subject to any vulnerabilities that it may have.