Security advisories

An authenticated user with no permissions to access “document” section has the ability to direct access any document in the system by manipulating the patient_id and document_id parameters in the url. The autoincrement identifier was also susceptible of being bruteforced for both parameters, lowering the difficulty of finding valid documents. The second instance allowed unprivileged users to upload files to any user repository.

The upload functionality does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending an invalid content-type. This could be used by an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

The credit card payment script was not properly encoding the “cardHolderName” and “zip” parameters, allowing users to inject unparsed HTML code in the server response.

The name of any uploaded document can be manipulated, using the “destination” parameter, to include newline characters in its name. This situation can be abused to break the execution of JS code in “Documents” section, leaving it unusable until malicious register is removed from DB.

The message module was affected by two cases of Cross-Site Scripting (XSS). The first involved the “stage” parameter using the “setup” functionality. The other bug was carried out using the parameter called “parameter” in the post data for the message saving functionality, which reflected the payload while returning an HTML content type.