2018-11 Code Review

Overview

Date

2018-11

Status

fixed

Release

v1.2.0

TestType

manual

TestTopic

Security

Context

https://openimis.atlassian.net/wiki/spaces/OP/pages/494338053

Tester

https://openimis.atlassian.net/wiki/spaces/OP/pages/835682333

Standard

Result Summary

Vulnerabilities

Risk

Count

Critical

3

High

2

Medium

4

Low

1

extension

Methodology

openIMIS needed to evolve from MS IMIS to a generic standard product that can be fully customized and scaled to the needs of a growing number of implementing organisations. We had to realize a quick analysis of the source code considering its performance and persistence in terms of developments foreseen in the technical roadmap. The idea is to maintain the MS Visual Basic core while at the same time starting changes towards modularity and to explore options for a successively adding new / replacing old modules on the basis of open source technologies.

This analysis is a deep dive on the results of a previous code review: https://openimis.atlassian.net/wiki/spaces/OP/pages/3591143425

Detailed Results

Priorities:

  • Critical

  • High

  • Medium

 

#

Title

Description

Solution

Priority

1

Password storage 

The password in encrypted in the database but visible in the user edit form. The DB administrator can also access user’s password.

Salting and hashing the passwords => should be released in 1.3.0

Critical

 

2

Password strength 

The password are not validated for the strength

Need minimum of characters, case, number, special character

Medium

Web Services are not secured

Any call to the current WS are not secured by credentials or tokens. Using generic SOAP clients (i.e. Postman) anyone can access infos.

This impact the use of mobile applications.

Swiss TPH has started the new REST API with integrated security

Ongoing work can be found here: https://github.com/openimis/rest_api_c-sharp

Documentation: https://baselhack.swisstph-mis.ch/RestAPI/api-docs/index.html

Critical

4

FTP credentials

FTP credentials are available through a WS call. In case of bad configuration, this could allow the execution of unauthorised scripts.

Remove WS function to retrieve FTP credentials.

High

5

FTP photo transfert

This method is used for transferring photos from the mobile phones to the WS. 

The HTTP transfer has been added to v1.2.0 => FTP still there for backward compatibility

To be decided when this will be completely removed 

High

6

HTTPS not supported in mobile applications

The SOAP calls from the mobile applications are using HTTP and HTTPS is not supported. This requires to bind the Web Application to both HTTP port 80 and HTTPS port 443 which will allow access from browser using standard HTTP

  1. Standard solution: In the mobile apps, check if HTTP or HTTPS and make the call accordingly.

  1. Secured solution: allow only HTTPS calls 

Critical

7

The URLs are using DB ids

The URLs used to navigate between pages are using DB ids 

https://demo.openimis.org/OverviewFamily.aspx?f=204030  

Currently, the Web Application doesn’t allows to GET an URL without navigation. 

Should we change the DB ids in the URLs to unique generated ids like UUID?

Medium

8

Offline data files are not encrypted

When sending offline extracts via email (or physically copied on another medium for upload via the web portal), the extracts are not encrypted, so personal data can seen

Encrypt the data file with a public key and decrypt it with a private key. This private key can be requested over a secured API call. These keys could be extract or user dependent and could have limited lifetime.

Medium

9

Vulnerabilities detected by SonarQube

By doing a static code analysis with SonarQube, several vulnerabilities are mentioned 

https://sonarcloud.io/project/issues?id=OpenIMISWebApplication&resolved=false&types=VULNERABILITY  

These can be easily fixed.

 

This tool only list potential vulnerabilities, not fixing them.

Medium

10

DB configuration

There are some configuration that can improve security on DB level

Port 1433 not opened for remote access if same server or add exception for openIMIS server in case of separation of BL et DB

Do not use SA user for accessing the DB from openIMIS

https://www.sqlshack.com/top-10-security-considerations-sql-server-instances/  

N/A

 

Remediation

All critical and high risk errors were fixed immediately ( ). Lower risk errors were addressed in the issue queue ( ). All instances in countries were patched within half a year.

Report

-none-

 

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk



This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/