Results of security scan - SQL Injection, Cross-site scripting

anyone else have high level issues come back as a result of a security scan? We ran Burp Scanner and a couple came back that are concerning. Before we dig into the code, wanted to see if anyone else encountered these and found out if they were false positives or handled elsewhere in the code base.

SQL Injection: ViewNotes -- The listNotes_f_discrepancyNoteBean.user parameter appears to be vulnerable to SQL injection attacks.

Cross-site scripting (reflected): ListStudySubjects/ViewNotes -- The value of the findSubjects_f_studySubject.label/listNotes_f_discrepancyNoteBean.user request parameter is copied into a JavaScript string which is encapsulated in single quotation marks.



Comments

  • lindsay.stevenslindsay.stevens Posts: 401 ✭✭✭
    Would it be possible to share the results / report from your scan and/or risk assessment of the results?

    I don't think there is an official security issues disclosure procedure for OpenClinica but as a starting point could you please email to lstevens@openclinica.com?

    Lastly, would you have any interest / resources to work on fixes if they are found to be critical / necessary?
  • ccg-cdcccg-cdc Posts: 3
    We are in the processing of digging through the code and identifying solutions. We will share those results on this forum. I already talked with someone at OpenClinica and they indicated that they could not help me as I was not a paid subscriber. This forum, they said, was the best way to communicate and find answers.









  • lindsay.stevenslindsay.stevens Posts: 401 ✭✭✭
    Well, I suppose in a sense it was the best place - that's how I came to see it :)

    Still keen to have a look at the information you have, if you can send it.
Sign In or Register to comment.