/
2018-11 Code Review

2018-11 Code Review

Overview

Date

2018-11

Status

fixed

Release

v1.2.0

TestType

manual

TestTopic

Security

Context

Modular Transformation

Tester

Swiss TPH

Standard

Result Summary

Vulnerabilities

Risk

Count

Critical

3

High

2

Medium

4

Low

1

extension

Methodology

openIMIS needed to evolve from MS IMIS to a generic standard product that can be fully customized and scaled to the needs of a growing number of implementing organisations. We had to realize a quick analysis of the source code considering its performance and persistence in terms of developments foreseen in the technical roadmap. The idea is to maintain the MS Visual Basic core while at the same time starting changes towards modularity and to explore options for a successively adding new / replacing old modules on the basis of open source technologies.

This analysis is a deep dive on the results of a previous code review: 2018-06 Code Review

Detailed Results

Priorities:

  • Critical

  • High

  • Medium

 

#

Title

Description

Solution

Priority

1

Password storage 

The password in encrypted in the database but visible in the user edit form. The DB administrator can also access user’s password.

Salting and hashing the passwords => should be released in 1.3.0

Critical

 

2

Password strength 

The password are not validated for the strength

Need minimum of characters, case, number, special character

Medium

Web Services are not secured

Any call to the current WS are not secured by credentials or tokens. Using generic SOAP clients (i.e. Postman) anyone can access infos.

This impact the use of mobile applications.

Swiss TPH has started the new REST API with integrated security

Ongoing work can be found here: https://github.com/openimis/rest_api_c-sharp

Documentation: https://baselhack.swisstph-mis.ch/RestAPI/api-docs/index.html

Critical

4

FTP credentials

FTP credentials are available through a WS call. In case of bad configuration, this could allow the execution of unauthorised scripts.

Remove WS function to retrieve FTP credentials.

High

5

FTP photo transfert

This method is used for transferring photos from the mobile phones to the WS. 

The HTTP transfer has been added to v1.2.0 => FTP still there for backward compatibility

To be decided when this will be completely removed 

High

6

HTTPS not supported in mobile applications

The SOAP calls from the mobile applications are using HTTP and HTTPS is not supported. This requires to bind the Web Application to both HTTP port 80 and HTTPS port 443 which will allow access from browser using standard HTTP

  1. Standard solution: In the mobile apps, check if HTTP or HTTPS and make the call accordingly.

  1. Secured solution: allow only HTTPS calls 

Critical

7

The URLs are using DB ids

The URLs used to navigate between pages are using DB ids