GSoC 2021 with OpenMRS — final evaluation

Security issues with OpenMRS

GSoC`21 Security Issues Project Cover.

Project Title: Security Issues with OpenMRS
Primary mentor: Isaac Sears
Backup mentor: Sharif Magembe
Student: Nsereko Joshua
Reach Me: LinkedIn, Reddit

Overview

OpenMRS began collaborating with researchers from North Carolina State University (NCSU) to better secure the OpenMRS Reference Application. NCSU researchers, using cutting-edge security assessment techniques, identified almost 300 distinct security issues.

The major goal of this project was to solve as many vulnerabilities as possible on the OpenMRS Vulnerability Issue Tracker.

The OpenMRS Vulnerability Sheet(requires permission), shows all the issues I have been able to accomplish, their description, and corresponding Pull Requests.
However, if you don’t have permission to the document, I got you covered :) I am going to write all the issues i have worked on.

In this season of Google Summer Code, the security team followed a Chronological order, where every intern picked up an issue from the Vulnerability Sheet, discussed with Isaac Sears and/or the OpenMRS Security Team to know its requirements pretty well. If an issue is merged, the corresponding issue on the Sheet is updated and the user picks on another issue based on his/her personal interests. However, I personally preferred being assigned issue(s) to work on by Isaac Sears each time i closed one. I was trying to avoid working on issues that are of a low priority to both the team and the community, and/or working on issues that might require a little more integrations and time.
I also got a chance to work with parthk and Kate Belson as workmates on this project.

Objectives

1. Work on at least one issue from the vulnerability issue tracker per week — ACHIEVED
2. Fix at least 10 issues on the vulnerability sheet for the whole coding period — ACHIEVED

Contributions

Below are some of the issues i have been able to work upon, their corresponding modules and their development state.

Pull requests

MM-893: Authentication Bypass — Solved Authentication Bypass to System Administration #MERGED
EMPT-23:
Authentication Bypass — Manage Service Type #MERGED
EMPT-24:
Authentication Bypass — Manage Provider Schedules #MERGED
EMPT-25:
Authentication Bypass — find patient record #MERGED
EMPT-26:
Authentication Bypass — Active visit #MERGED
EMPT-27:
Authentication Bypass — Patient note #MERGED
EMPT-28:
Authentication Bypass — Delete Patient #MERGED
EMPT-29:
Authentication Bypass — Merge Patient Electronic Records: #MERGED
EMPT-30:
Authentication Bypass — find patient record: Manage Appointments #MERGED
EMPT-32:
Authentication Bypass — Manage Appointments #MERGED
EMPT-33:
Authentication Bypass — Solved Authentication Bypass to System Administration #MERGED
EMPT-34:
Authentication Bypass — find patient record #MERGED
EMPT-35:
Authentication Bypass — Capture Vitals: Solved Authentication Bypass to System Administration #MERGED
EMPT-36:
Authentication Bypass — System Administration #MERGED
EMPT-37:
Authentication Bypass — create patient #MERGED
EMPT-38:
Authentication Bypass — Manage App: Patient vital #MERGED
EMPT-39:
Authentication Bypass — manage role: Module list page #MERGED
EMPT-40:
Authentication Bypass — Assign Role: Sys Info #MERGED
EMPT-31
: Authentication Bypass — Patient ID in url #MERGED
RA-1424:
Removed escapeJs which is vulnerable to xss #MERGED

MM-876: XSS vulnerability — Input Validation Relationship Name: XSS in relation name (input validation) #MERGED

RA 1424: EscapeJs is vulnerable to XSS attacks #MERGED

MM-875: Session Management — Persisting user session: Emphasized that the new password is different from the old pa… #MERGED
MM-860:
CSRF Protection — implement anti-csrf Tokens: Implemented anti-csrf tokens for OpenMRS protection against CSRF attacks #IN-PROGRESS(required more time)
EMPT-174:
JSESSIONID COOKIE — Made cookies more secure. #CLOSED

MM-875: Password Management — password Visibility: Emphasized that the new password is different from the old password #MERGED
EMPT-174:
JSESSIONID COOKIE — Made cookies more secure.#CLOSED
MM-860:
CSRF Protection — implement anti-csrf Tokens: Implemented anti-csrf tokens for OpenMRS protection against CSRF attacks #IN-PROGRESS(required more time)

MM-918 [WIP]: Session Management — Authentication bug after password change #ALMOST DONE
RA-1424: EscapeJs vulnerable to XSS. #MERGED
EMPT-75:
500 error — Beautified error thrown on getting unexisting privilege #MERGED

MM-918: Session Management — user sessions: Close all user sessions after password change and on logout # #ALMOST DONE

OpenMRS Talk Threads

Weekly Blog Posts

Resources

Below is a short demo showing the some issues I have tacked. I have tried to explain merged issues thoroughly but I have given little information about issues that have not been merged for security purposes.

Future Works

Currently, we have many issues on the OpenMRS Vulnerability Tracker that are in the Not Stated State. At the same time, security issues are reported nearly on a daily basis.
As the Security Team, there is need to solve as many as possible so as to make our OMRS security vulnerability-free.

Thoughts on GSoC

Honestly, getting Google summer of Code was like a dream to me. Moreover, those kinds of dreams which seemingly might never come true. It was just like a fantasy.
That email reading “Your Proposal has been Accepted” was almost unreal. I remember reading it more than thrice to finally prove that it was all real.

Ten weeks seem too little, but the things I have learned would cost me more than a year if it wasn’t for GSoC 2021: from working with Linux remote servers, getting a better understanding of the OpenMRS modules workflow, getting some little knowledge about the implementation of OpenMRS, boosting my confidence and most especially, Hyping my knowledge about security in web applications.

It has been a fruitful summer owing to my awesome mentors, Isaac Sears and Sharif Magembe, OpenMRS Security Team, OpenMRS community members, more especially Ian Bacher, Dan Kayiwa, Herbert Yiga, and many more, who have reviewed many of my Pull Requests and provided suggestions in case of any blockers are encountered. Thank you for the good work. Your support is the only reason why I have reached this far.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store