lh-ehr
lh-ehr copied to clipboard
LibreHealthIO
Fix Authenticated Unrestricted File Write in letter.php
Should do at a bear minimum, can you use csrf token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured.
Should do at a bear minimum, can you use csrf token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured.
@realJema -- we really need to do this. This is still vulnerable. You're trading one vulnerability for another here.
This is the attack that you traded for: https://owasp.org/www-community/attacks/csrf
Should do at a bear minimum, can you use csrf token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured.
@realJema -- we really need to do this. This is still vulnerable. You're trading one vulnerability for another here.
ok, let me update the fix.
Or, you could evaluate the feature, discuss if it actually has a place in the workflow, then dump the legacy code.
HINT: It doesn't.
On 3/31/2020 7:49 AM, Jema wrote:
Should do at a bear minimum, can you use *csrf* token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured. @realJema <https://github.com/realJema> -- we really need to do this. This is still vulnerable. You're trading one vulnerability for another here.ok, let me update the fix.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LibreHealthIO/lh-ehr/pull/1571#issuecomment-606578706, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEHGF26ECY6UW3T7A3Y2QLRKHKFNANCNFSM4LNRZV6Q.
Thanks Art for the input :) glad to see you around
On Tue, 31 Mar 2020 at 18:57 Art Eaton [email protected] wrote:
Or, you could evaluate the feature, discuss if it actually has a place in the workflow, then dump the legacy code.
HINT: It doesn't.
On 3/31/2020 7:49 AM, Jema wrote:
Should do at a bear minimum, can you use csrf token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured.
@realJema https://github.com/realJema -- we really need to do this. This is still vulnerable. You're trading one vulnerability for another here.
ok, let me update the fix.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub < https://github.com/LibreHealthIO/lh-ehr/pull/1571#issuecomment-606578706>, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAEHGF26ECY6UW3T7A3Y2QLRKHKFNANCNFSM4LNRZV6Q .
— You are receiving this because your review was requested. Reply to this email directly, view it on GitHub https://github.com/LibreHealthIO/lh-ehr/pull/1571#issuecomment-606781084, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4X4XWAX5PQ65VK7DOAC3LRKIVHBANCNFSM4LNRZV6Q .
--
MUA N. LAURENT: Lead Software Engineer Akivas Inc. https://akivas.com/ Akwa, Douala,CM 00237 | 174 Royal Rd, Cape Town, WC 7405, SA Phone: (237) 670-518-086