Results of security scan - SQL Injection, Cross-site scripting

anyone else have high level issues come back as a result of a security scan? We ran Burp Scanner and a couple came back that are concerning. Before we dig into the code, wanted to see if anyone else encountered these and found out if they were false positives or handled elsewhere in the code base.

SQL Injection: ViewNotes -- The listNotes_f_discrepancyNoteBean.user parameter appears to be vulnerable to SQL injection attacks.

Cross-site scripting (reflected): ListStudySubjects/ViewNotes -- The value of the findSubjects_f_studySubject.label/listNotes_f_discrepancyNoteBean.user request parameter is copied into a JavaScript string which is encapsulated in single quotation marks.



Comments

  • lindsay.stevenslindsay.stevens Posts: 402 ✭✭✭
    Would it be possible to share the results / report from your scan and/or risk assessment of the results?

    I don't think there is an official security issues disclosure procedure for OpenClinica but as a starting point could you please email to lstevens@openclinica.com?

    Lastly, would you have any interest / resources to work on fixes if they are found to be critical / necessary?
  • ccg-cdcccg-cdc Posts: 4
    We are in the processing of digging through the code and identifying solutions. We will share those results on this forum. I already talked with someone at OpenClinica and they indicated that they could not help me as I was not a paid subscriber. This forum, they said, was the best way to communicate and find answers.









  • lindsay.stevenslindsay.stevens Posts: 402 ✭✭✭
    Well, I suppose in a sense it was the best place - that's how I came to see it :)

    Still keen to have a look at the information you have, if you can send it.
  • ccg-cdcccg-cdc Posts: 4
    Lindsay, I will be emailing you the report for the two high level issues. Had to wipe it clean of identifying information and also get it cleared from our security team.

    For the SQL Injection, we ran further tests and it appears that any injection attempts resulted in an error message or the system returning no data. Although those might not be the cleanest or most descriptive of responses, it should preventing the attacker from getting access.

    For the second one, the Cross-site scripting (reflected), we were able to reproduce this one and we consider this a very high threat. We are currently implementing a fix for this one and once we are comfortable with the results, we will share the results to this thread.
  • lindsay.stevenslindsay.stevens Posts: 402 ✭✭✭
    Thanks very much, I've received your email with the report. I've circulated it internally and it's currently being reviewed. I'll respond to your email directly about the fix you mentioned.
Sign In or Register to comment.