A lot of vulnerabilities in OpenEMR disclosed

[robbyoconnor]

I found a report with a decently sized list of vulnerabilities in OpenEMR published on May 1^st of this year.

Not sure if these exist in our code, but we should check.

[robbyoconnor]

See the following for a summary of what they found: https://github.com/zeropwn/vulnerability-reports-and-pocs#openemr-v5013-vulnerability-report-multiple-cves

[wisdommatt]

I found a report with a decently sized list of vulnerabilities in OpenEMR published on May 1st of this year.

Not sure if these exist in our code, but we should check.

@robbyoconnor i have confirmed the vunerabilities found on https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/OpenEMR%20-%20Vulnerability%20Report.pdf to be true. There are lots of critical vunerabilities on LibreHealth EHR and i would like to fix them as my GSOC 20 project.

e.g "SELECT pc_duration FROM libreehr_postcalendar_categories WHERE pc_catid = '$input_catid'"

I would like to convert all sql queries to use prepared statement

[muarachmann]

Head over to our chats and Forum and see what is required.

On Tue, 24 Mar 2020 at 13:15 wisdommatthew notifications@github.com wrote:

I found a report with a decently sized list of vulnerabilities in OpenEMR https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/OpenEMR%20-%20Vulnerability%20Report.pdf published on May 1st of this year.

Not sure if these exist in our code, but we should check.

@robbyoconnor https://github.com/robbyoconnor i have confirmed the vunerabilities found on https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/OpenEMR%20-%20Vulnerability%20Report.pdf to be true. There are lots of critical vunerabilities on LibreHealth EHR and i would like to fix them as my GSOC 20 project.

e.g "SELECT pc_duration FROM libreehr_postcalendar_categories WHERE pc_catid = '$input_catid'"

I would like to convert all sql queries to use prepared statement

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LibreHealthIO/lh-ehr/issues/1495#issuecomment-603204398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4X4XREXUO2AE77CB5MUFLRJCP53ANCNFSM4IKXA4UQ .

--

MUA N. LAURENT: Lead Software Engineer Akivas Inc. https://akivas.com/ Akwa, Douala,CM 00237 | 174 Royal Rd, Cape Town, WC 7405, SA Phone: (237) 670-518-086

[robbyoconnor]

There's even more that we know exist.

[ayush0x00]

The image upload section while registering a new patient, has no check over file type and size. One can upload batch files easily. This should be restricted to only image files and with max 5 mb size for security purposes.

[muarachmann]

The image upload section while registering a new patient, has no check over file type and size. One can upload batch files easily. This should be restricted to only image files and with max 5 mb size for security purposes.

Hi Ayush @maggienegm and @Ngai-E have worked hard on solving issues like this for the past few months, you can see that on the PR section. While dev is turned towards porting this to Laravel for a more robust, flexible, modern and secure application. If you have prior experience with that, then it will be a good starting point for contributions. See - https://forums.librehealth.io/t/librehealth-ehr-porting-to-laravel-7/3807.

Of course keep exploring the system to better understand how it functions. Cheers

[ayush0x00]

I'll probably switch to laravel version. The current one is quite bulky and with ample of security flaws. Plus, php is no longer used nowadays.

[muarachmann]

I'll probably switch to laravel version. The current one is quite bulky and with ample of security flaws. Plus, php is no longer used nowadays.

[muarachmann]

The laravel project is still in development and needs a good understanding of the current system. So I will still say u stick around the current codebase to understand it