You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks to Will Davison of NCC Group (Manchester UK) for disclosing this vulnerability.
Text of disclosure follows:
Evidence – Reflected XSS:
It was possible to send a GET request to the HAPI FHIR Web Application such that any included malicious code would be executed in the victim’s browser. This could be used to craft a phishing link, for example.
By URL-encoding twice, it was possible to bypass any sanitisation on URL-parameters which were reflected In the page body.
The following double URL-encoded payload was used to display an alert box:
<script>alert('XSS')</script>
URL-encoding once transforms the string into: %3cscript%3ealert%28'XSS'%29%3c%2fscript%3e
URL-encoding once more gives us our final payload of: %253cscript%253ealert%2528%27XSS%27%2529%253c%252fscript%253e
In the above example, the vulnerable parameter is “id” but this should also work for vid and account. It’s likely that this issue is present in a few places, but I have not exhaustively tested. I would recommend reviewing the code in order to ensure both input sanitisation and output encoding are consistent across the application.
OWASP’s Cheat Sheet series may be of some use here: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md
This vulnerability affects only users of the "Testpage Overlay" HAPI FHIR module. Maven coordinates for this module are:
groupID: ca.uhn.hapi.fhir
artifactID: hapi-fhir-testpage-overlay
Affected versions are any versions 5.0.0 and below. This issue is resolved in version 5.1.0
Analysis:
Users of the HAPI FHIR Testpage Overlay can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believed to be widely used for any production purposes. Nonetheless, we recommend all users of the affected module upgrade immediately.
A complete audit of the affected codebase has been completed in order to detect and resolve any similar issues.
The text was updated successfully, but these errors were encountered:
Thanks to Will Davison of NCC Group (Manchester UK) for disclosing this vulnerability.
Text of disclosure follows:
This vulnerability affects only users of the "Testpage Overlay" HAPI FHIR module. Maven coordinates for this module are:
groupID: ca.uhn.hapi.fhir
artifactID: hapi-fhir-testpage-overlay
Affected versions are any versions 5.0.0 and below. This issue is resolved in version 5.1.0
Analysis:
Users of the HAPI FHIR Testpage Overlay can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believed to be widely used for any production purposes. Nonetheless, we recommend all users of the affected module upgrade immediately.
A complete audit of the affected codebase has been completed in order to detect and resolve any similar issues.
The text was updated successfully, but these errors were encountered: