← Advisories

OpenMRS 2.3 (1.11.4) Multiple Cross-Site Scripting Vulnerabilities

Medium
Advisory ID
ZSL-2015-5287
Release Date
07 December 2015
Vendor
OpenMRS Inc. - http://www.openmrs.org
Affected Version
OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0), OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
CVE
N/A
Tested On
Ubuntu 12.04.5 LTS, Apache Tomcat/7.0.26, Apache Tomcat/6.0.36, Apache Coyote/1.1
Summary

OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built.

Description

OpenMRS suffers from multiple stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
openmrs_xss.txtTXT
Disclosure Timeline
02.11.2015Vulnerability discovered.
10.11.2015Vendor contacted via http://openmrs.org/help/report-a-bug/.
10.11.2015Vendor responds instructing us to create OpenMRS ID and post to developer category on talk.openmrs.org.
10.11.2015Issues with registration.
11.11.2015Contacting [email protected]
12.11.2015Sent information to the vendor on IRC channel.
14.11.2015Vendor responds asking more details.
14.11.2015Sent details to the vendor.
16.11.2015Vendor confirms issues, working on patch.
25.11.2015Asked vendor for status update.
25.11.2015Vendor informs that patches are done, testing before release probably next week.
30.11.2015Vendor releases new modules to address these issues.
02.12.2015Vendor releases new official version 2.3.1 to address these issues.
07.12.2015Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868
[2]https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824
[3]https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1
[4]http://openmrs.org/2015/12/reference-application-2-3-1-released/
[5]https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10
[6]https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3
[7]https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5
[8]https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod
[9]https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod
[10]https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod
[11]https://packetstormsecurity.com/files/134698
[12]https://cxsecurity.com/issue/WLB-2015120072
[13]https://www.exploit-db.com/exploits/38898/
[14]https://exchange.xforce.ibmcloud.com/vulnerabilities/108721
[15]https://exchange.xforce.ibmcloud.com/vulnerabilities/108723
Changelog
07.12.2015Initial release
08.12.2015Added reference [11], [12] and [13]
10.12.2015Added reference [14] and [15]