论文信息 - Testing the security vulnerabilities of OpenEMR 4.1.1: a case study

Testing the security vulnerabilities of OpenEMR 4.1.1: a case study

OpenEMR is a widely used open source electronic medical record system. Since it is used for storing and transmitting sensitive health information, the security posture of the system is of great concern. This paper reports our findings of vulnerabilities in OpenEMR 4.1.1 using various approaches. We analyzed the authentication function of OpenEMR, conducted session ID analysis, source code analysis, black-box testing, scanning with vulnerability assessment tool, as well as testing based on attack patterns. The vulnerabilities discovered include potential authentication vulnerabilities, lack of input validation, cross site scripting, HTTP Parameter Pollution, Server Side Include (SSI) injection, etc. This case study could be adapted into hands-on exercises for teaching software security testing methods.

Xiaohong Yuan | Huiming Yu | Francis Akowuah | Emmanuel Borkor Nuakoh | Jerrisa Lake

[1] Laurie A. Williams,et al. Towards improved security criteria for certification of electronic health record systems , 2010, SEHC '10.

[2] Laurie A. Williams,et al. One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques , 2011, 2011 International Symposium on Empirical Software Engineering and Measurement.

[3] Laurie A. Williams,et al. Modifying without a trace: general audit guidelines are inadequate for open-source electronic health record audit mechanisms , 2012, IHI '12.

[4] Eric Helms,et al. Evaluating access control of open source electronic health record systems , 2011, SEHC '11.

[5] Sean Barnum,et al. Attack Patterns as a Knowledge Resource for Building Secure Software , 2007 .

[6] Andrew Meneely,et al. Challenges for protecting the privacy of health information: required certification can leave common vulnerabilities undetected , 2010, SPIMACS '10.