GSoC with OpenMRS — Week 8 Update
For week 8, I worked with another GSoC member to patch an XSS vulnerability.
The Vulnerability:
To recreate this vulnerability, I took these steps:
1. Create a privilege named <script>alert(1);</script>.
2. Delete that privilege.
3. Get the alert box showing “1”.
If these steps were followed with malicious JavaScript, the attacker could extract vulnerable information from the system, which would be bad.
The Fix:
After working with Parth, who is another Google Summer of Code student in my team, we discovered that the fix involved changing a variable named htmlEscape from false to true. Once we did this, the attack no longer worked, so we submitted a PR that was successfully merged. Here is a link to the PR.
The Next XSS Vulnerability:
Next I looked into another XSS vulnerability in OpenMRS, which involved injecting JavaScript into the Relation Name section of the Create Patient page, only to discover that I could not reproduce the attack — it had already been fixed! I marked this as fixed so nobody else tried to do the same.
Next week I will be discovering other types of errors to fix.