Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3931

Multiple Stored XSS via Patient Name

    XMLWordPrintable

    Details

    • Complexity:
      Medium

      Description

      The create patient flow is allows stored XSS when using the following
      name (script is executed when loading mdrtbEditPatient.form, and
      potentially other pages that display the patient name).
      "><script>alert("xss")</script>

      Other places where patient/user name injects script:
      module/reporting/reports/reportHistory.form (xss in automatically populated into the "Requested By" dropdown)
      admin/users/user.form (Which Person? textbox autocomplete fires it)
      admin/encounters/encounter.form (same dropdown as above. Just fix this control)
      patientDashboard.form (multiple places where the name is displayed. Main page, demographics tab.
      Every page when logged in as the xss username ("Currently logged in as <script>..") (meh..)
      Privilege escalation scenario:
      Setup: Admin creates "Person" record and links it to a User account.
      1. User can change his/her name to include an XSS string (steal session cookie)
      2. User gets admin to visit their "Person" profile, i.e.
      admin/person/person.form?personId=93483. Script could steal admin
      cookie and send it to a malicious url.

      This issue was originally reported by: Kevin Jacobs

        Attachments

        1. create_patient_error.png
          create_patient_error.png
          67 kB
        2. create_patient_output.png
          create_patient_output.png
          93 kB
        3. create_patient_output1.png
          create_patient_output1.png
          110 kB
        4. TRUNK - 3931 Pic.PNG
          TRUNK - 3931 Pic.PNG
          16 kB

          Activity

            People

            Assignee:
            marv Marvin Frick
            Reporter:
            sgithens Steven Githens
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4 hours Original Estimate - 4 hours
                4h
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours
                6h