Critical Security Fix for OpenEMR setup.php
From OpenEMR Project Wiki
Revision as of 06:41, 30 November 2017 by Bradymiller (talk | contribs)
Overview
- In November of 2017, there were 2 critical security vulnerabilities reported in OpenEMR before 5.0.0 Patch 5 .
- Details of the first vulnerability can be found here: https://nvd.nist.gov/vuln/detail/CVE-2017-16540
- And details of the second vulnerability (it also does a nice job covering the first vulnerability): https://www.helpnetsecurity.com/2017/11/29/openemr-flaw-medical-records-exposed/
Secure Your OpenEMR
- In order to protect yourself from this vulnerability:
- If using OpenEMR 5.0.0:
- Update to the most recent patch via following instructions: OpenEMR Patches
- Remove the setup.php file from the openemr web directory (if you need this file in the future, then can download it at setup.php).
- If using OpenEMR 4.2.2 or lower:
- Remove the setup.php file from the openemr web directory.
OpenEMR Community Response
- OpenEMR is an open source project that is worked on by many folks around the world. Security is taken very seriously and both of the above vulnerabilities were fix and patches were announced within several says of initial contact by the security firms.