2018-11 Code Review
Content
Overview
Date | 2018-11 |
---|---|
Status | fixed |
Release | v1.2.0 |
TestType | manual |
TestTopic | Security |
Context | |
Tester | |
Standard |
|
Result Summary
Vulnerabilities
Risk | Count |
---|---|
Critical | 3 |
High | 2 |
Medium | 4 |
Low | 1 |
Methodology
openIMIS needed to evolve from MS IMIS to a generic standard product that can be fully customized and scaled to the needs of a growing number of implementing organisations. We had to realize a quick analysis of the source code considering its performance and persistence in terms of developments foreseen in the technical roadmap. The idea is to maintain the MS Visual Basic core while at the same time starting changes towards modularity and to explore options for a successively adding new / replacing old modules on the basis of open source technologies.
This analysis is a deep dive on the results of a previous code review: 2018-06 Code Review
Detailed Results
Priorities:
Critical
High
Medium
# | Title | Description | Solution | Priority |
1 | Password storage | The password in encrypted in the database but visible in the user edit form. The DB administrator can also access user’s password. | Salting and hashing the passwords => should be released in 1.3.0 | Critical |
2 | Password strength | The password are not validated for the strength | Need minimum of characters, case, number, special character | Medium |
3 | Web Services are not secured | Any call to the current WS are not secured by credentials or tokens. Using generic SOAP clients (i.e. Postman) anyone can access infos. This impact the use of mobile applications. | Swiss TPH has started the new REST API with integrated security Ongoing work can be found here: https://github.com/openimis/rest_api_c-sharp Documentation: https://baselhack.swisstph-mis.ch/RestAPI/api-docs/index.html | Critical |
4 | FTP credentials | FTP credentials are available through a WS call. In case of bad configuration, this could allow the execution of unauthorised scripts. | Remove WS function to retrieve FTP credentials. | High |
5 | FTP photo transfert | This method is used for transferring photos from the mobile phones to the WS. | The HTTP transfer has been added to v1.2.0 => FTP still there for backward compatibility To be decided when this will be completely removed | High |
6 | HTTPS not supported in mobile applications | The SOAP calls from the mobile applications are using HTTP and HTTPS is not supported. This requires to bind the Web Application to both HTTP port 80 and HTTPS port 443 which will allow access from browser using standard HTTP |
| Critical |
7 | The URLs are using DB ids | The URLs used to navigate between pages are using DB ids | Currently, the Web Application doesn’t allows to GET an URL without navigation. Should we change the DB ids in the URLs to unique generated ids like UUID? | Medium |
8 | Offline data files are not encrypted | When sending offline extracts via email (or physically copied on another medium for upload via the web portal), the extracts are not encrypted, so personal data can seen | Encrypt the data file with a public key and decrypt it with a private key. This private key can be requested over a secured API call. These keys could be extract or user dependent and could have limited lifetime. | Medium |
9 | Vulnerabilities detected by SonarQube | By doing a static code analysis with SonarQube, several vulnerabilities are mentioned https://sonarcloud.io/project/issues?id=OpenIMISWebApplication&resolved=false&types=VULNERABILITY | These can be easily fixed.
This tool only list potential vulnerabilities, not fixing them. | Medium |
10 | DB configuration | There are some configuration that can improve security on DB level | Port 1433 not opened for remote access if same server or add exception for openIMIS server in case of separation of BL et DB Do not use SA user for accessing the DB from openIMIS Top 10 security considerations for your SQL Server instances | N/A |
Remediation
All critical and high risk errors were fixed immediately ( ). Lower risk errors were addressed in the issue queue ( ). All instances in countries were patched within half a year.
Report
-none-
Did you encounter a problem or do you have a suggestion?
Please contact our Service Desk
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/