Difference between revisions of "Security Alert Fixes"

Revision as of 22:12, 20 February 2013

Place to record and track OpenEMR security alerts and their fixes (in chronological order from earlier to later):

The first two items likely still exist. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
The last 2 items will be fixed in next 4.1.1 patch and dev version.

The first item is same as the arbitrary file upload vulnerability item reported above and has been fixed in most recent 4.1.1 patch and dev version.
The second item likely still exists. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
The third item is fixed in most recent 4.1.1 patch and dev version.
The fourth item likely still exists. A user needs to be authenticated(logged in) into OpenEMR to be able to do this; note a codebase refactoring is currently underway to fix these types of vulnerabilities.
The fifth item will be fixed in next 4.1.1 patch and dev version.
The sixth item will be fixed in next 4.1.1 patch and dev version.
The seventh item is fixed in most recent 4.1.1 patch and dev version.

TODO:

Systematically go through the http://osvdb.org/ site to ensure all vulnerabilities have been addressed. (2/20/2013)

@@ Line 5: / Line 5: @@
 ::*Fixed in most recent 4.0.0 patch and dev version
 :*[http://packetstorm.unixteacher.org/1104-exploits/OpenEMR4.0.0-xss.txt Reflected Cross-site Scripting]
-::*This link is dead. [[User:Bradymiller|Bradymiller]] 20:04, 30 November 2012 (UTC)
+::*This link is dead.
 :*[http://packetstormsecurity.org/files/103810 Multiple cross-site scripting]
 ::*There are 4 items here: