2018-11 Code Review
Content
Overview
Date | 2018-11 |
---|---|
Status | fixed |
Release | v1.2.0 |
TestType | manual |
TestTopic | Security |
Context | |
Tester | |
Standard |
|
Result Summary
Vulnerabilities
Risk | Count |
---|---|
Critical | 3 |
High | 2 |
Medium | 4 |
Low | 1 |
Methodology
openIMIS needed to evolve from MS IMIS to a generic standard product that can be fully customized and scaled to the needs of a growing number of implementing organisations. We had to realize a quick analysis of the source code considering its performance and persistence in terms of developments foreseen in the technical roadmap. The idea is to maintain the MS Visual Basic core while at the same time starting changes towards modularity and to explore options for a successively adding new / replacing old modules on the basis of open source technologies.
This analysis is a deep dive on the results of a previous code review: 2018-06 Code Review
Detailed Results
Priorities:
Critical
High
Medium
# | Title | Description | Solution | Priority |
1 | Password storage | The password in encrypted in the database but visible in the user edit form. The DB administrator can also access user’s password. | Salting and hashing the passwords => should be released in 1.3.0 | Critical |
2 | Password strength | The password are not validated for the strength | Need minimum of characters, case, number, special character | Medium |
3 | Web Services are not secured | Any call to the current WS are not secured by credentials or tokens. Using generic SOAP clients (i.e. Postman) anyone can access infos. This impact the use of mobile applications. | Swiss TPH has started the new REST API with integrated security Ongoing work can be found here: https://github.com/openimis/rest_api_c-sharp Documentation: https://baselhack.swisstph-mis.ch/RestAPI/api-docs/index.html | Critical |
4 | FTP credentials | FTP credentials are available through a WS call. In case of bad configuration, this could allow the execution of unauthorised scripts. | Remove WS function to retrieve FTP credentials. | High |
5 | FTP photo transfert | This method is used for transferring photos from the mobile phones to the WS. | The HTTP transfer has been added to v1.2.0 => FTP still there for backward compatibility To be decided when this will be completely removed | High |
6 | HTTPS not supported in mobile applications | The SOAP calls from the mobile applications are using HTTP and HTTPS is not supported. This requires to bind the Web Application to both HTTP port 80 and HTTPS port 443 which will allow access from browser using standard HTTP |
| Critical |
7 | The URLs are using DB ids | The URLs used to navigate between pages are using DB ids |