#

Title

Description

Solution

Priority

1

Password storage 

The password in encrypted in the database but visible in the user edit form. The DB administrator can also access user’s password.

Salting and hashing the passwords => should be released in 1.3.0

Critical

2

Password strength 

The password are not validated for the strength

Need minimum of characters, case, number, special character

Medium

3 

Web Services are not secured

Any call to the current WS are not secured by credentials or tokens. Using generic SOAP clients (i.e. Postman) anyone can access infos.

This impact the use of mobile applications.

Swiss TPH has started the new REST API with integrated security

Ongoing work can be found here: https://github.com/openimis/rest_api_c-sharp

Documentation: https://baselhack.swisstph-mis.ch/RestAPI/api-docs/index.html

Critical

4

FTP credentials

FTP credentials are available through a WS call. In case of bad configuration, this could allow the execution of unauthorised scripts.

Remove WS function to retrieve FTP credentials.

High

5

FTP photo transfert

This method is used for transferring photos from the mobile phones to the WS. 

The HTTP transfer has been added to v1.2.0 => FTP still there for backward compatibility

To be decided when this will be completely removed 

High

6

HTTPS not supported in mobile applications

The SOAP calls from the mobile applications are using HTTP and HTTPS is not supported. This requires to bind the Web Application to both HTTP port 80 and HTTPS port 443 which will allow access from browser using standard HTTP

1. Standard solution: In the mobile apps, check if HTTP or HTTPS and make the call accordingly.

1. Secured solution: allow only HTTPS calls 

Critical

7

The URLs are using DB ids

The URLs used to navigate between pages are using DB ids 

https://demo.openimis.org/OverviewFamily.aspx?f=204030  

Currently, the Web Application doesn’t allows to GET an URL without navigation. 

Should we change the DB ids in the URLs to unique generated ids like UUID?

Medium

8

Offline data files are not encrypted

When sending offline extracts via email (or physically copied on another medium for upload via the web portal), the extracts are not encrypted, so personal data can seen

Encrypt the data file with a public key and decrypt it with a private key. This private key can be requested over a secured API call. These keys could be extract or user dependent and could have limited lifetime.

Medium

9

Vulnerabilities detected by SonarQube

By doing a static code analysis with SonarQube, several vulnerabilities are mentioned 

https://sonarcloud.io/project/issues?id=OpenIMISWebApplication&resolved=false&types=VULNERABILITY  

These can be easily fixed.

This tool only list potential vulnerabilities, not fixing them.

Medium

10

DB configuration

There are some configuration that can improve security on DB level

Port 1433 not opened for remote access if same server or add exception for openIMIS server in case of separation of BL et DB

Do not use SA user for accessing the DB from openIMIS

https://www.sqlshack.com/top-10-security-considerations-sql-server-instances/  

N/A