Project: Help Improve the Security of the LibreHealth EHR Codebase

Summary: There are a lot of security vulnerabilities in the LibreHealth EHR Code. This project will aim to fix those vulnerabilities. Some of them are public, others live in a report from security researchers. The accepted student will be granted access to the document. You should prioritize the newer vulnerabilities over the publicly disclosed ones in your project proposal.

Skills:

  • Web Development (HTML, CSS, JS, MySQL, PHP, Laravel)
  • Knowledge of web security vulnerabilities is a huge plus

Task Prerequisites :

  • Clone and setup the EHR instance locally
  • Solve at least two issues on our issue tracker to get familiar with the codebase. They should be security-related.

Deliverable: At the end of the summer we will have reduced the number of security vulnerabilities hopefully to zero.

Bonus points: Perform a penetration test on LibreHealth EHR and submit a report, in addition to your final code work product to prove that you have caught all of the severe vulnerabilities.

Resources: The codebase is currently hosted on Github here and the documentation here

Secuirity issues - https://github.com/LibreHealthIO/lh-ehr/issues?q=is%3Aissue+is%3Aopen+label%3A"Web+Security"

Mentors: @r0bby, @mua_rachmann, @judywawira

1 Like

Hi, I will like to work on this project to improve the security of the librehealth EHR Codebase

1 Like

I setup librehealth, am working on my first issue now

1 Like

Bonus points if you address the security-related ones. The ones public should be fixed now ideally pick a couple of them!

DO NOT work on any issues labelled outreachy

3 Likes

Hello I’m Falence Lemungoh a Computer engineering student at the University of Buea. I vest with HTML, CSS, MySql, Javascript and PHP with Laravel. I would love to be part of this project. My local environment is setup and running. I’m looking forward to getting started with prerequisite issues

Hello. I’ve submitted my draft proposal already

Did you work on the two issues?

@realJema did you work on two? @wizdom, similarly…

Yes. I did work on two issues

Neither of these fixes are correct. You clearly did not ut a lot of effort into this.

Yes, i linked the pull requests in my proposal

Well 1 of your pull requests is invalid since you failed to check if it was addressed and secondly your fixes are not correct at all. This worries me since you need attention to detail as to not introduce more vulns when you fix things.

To add onto what I said: What you exhibited @Falence is a huge red flag when it comes to what we’re looking for. Security vulnerabilities are introduced when people don’t pay attention to the whole picture and get lazy.

Your pull requests show that you don’t know variable is thrown into the session when a user is authenticated, something you could have looked up. Based on what I can see you did everything from GitHub and didn’t run this at all. Your chances are not looking good.