GSoC with OpenMRS — Week 8 Update

For week 8, I worked with another GSoC member to patch an XSS vulnerability.

The Vulnerability:
To recreate this vulnerability, I took these steps:
1. Create a privilege named <script>alert(1);</script>.
2. Delete that privilege.
3. Get the alert box showing “1”.
If these steps were followed with malicious JavaScript, the attacker could extract vulnerable information from the system, which would be bad.

The Fix:
After working with Parth, who is another Google Summer of Code student in my team, we discovered that the fix involved changing a variable named htmlEscape from false to true. Once we did this, the attack no longer worked, so we submitted a PR that was successfully merged. Here is a link to the PR.

The Next XSS Vulnerability:
Next I looked into another XSS vulnerability in OpenMRS, which involved injecting JavaScript into the Relation Name section of the Create Patient page, only to discover that I could not reproduce the attack — it had already been fixed! I marked this as fixed so nobody else tried to do the same.


Next week I will be discovering other types of errors to fix.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kate Belson

BSc Computer Science Student at University of Exeter. Participating in Google Summer of Code for OpenMRS.