Security issues

Lams
2013-09-07
2013-09-07
  • Lams

    Lams - 2013-09-07

    I have noticed a potential security vulnerability with the openemr web directory structure and files being visible to the public. The standard measures (such as Deny all for patient doc directories) does protect patient documents. However, some php forms under contrib allow direct save option to the public.

    I would suggest the following additional security measures:
    modify virtual host in apache sites-enabled entry to include:
    <Directory "="" var="" www="" openemr"="">
    Options -Indexes
    </Directory>

    OR: create a .htaccess file under /var/www/openemr simply containing "Options -Indexes"

    Either of these two options will make the web directories forbidden to the public.

    Any thoughts?

    Paul

     
    Last edit: Lams 2013-09-07
  • Brady Miller

    Brady Miller - 2013-09-07

    Hi,

    Would be very nice to have this (and might as well throw in the settings to not allow access to the documents, edi, and era directories and other security settings that make sense). Then could yank the .htaccess file from the documents directory also and just consolidate it into one.

    An important thing to note is that some apache default installations do not have the .htaccess use turned on by default. So, still makes sense to let users know how to set apache to use the .htaccess file along with making the changes it in the apache config, which could be documented here:
    http://www.open-emr.org/wiki/index.php/Securing_OpenEMR

    -brady
    OpenEMR

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks