You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ZIP Bombs and Large ZIP files are being allowed to be uploaded on the portal
ASVS V12.1 File Upload Requirements is being violated in this bug.
To be specific, it is ASVS 12.1.2 : Verify that files are checked for "zip bombs" - small input files that decompress into huge files thus exhausting file storage limits.
This affects CWE 409 - Improper handling of highly compressed data(data amplification)
To Reproduce
Steps to reproduce the behavior:
Launch the OpenEMR application.
Launch the OpenEMR application and sign in using the admin credentials ([Username: admin, Password: pass] by default).
Go to the site https://theaviary.me/Zip-Bomb/42.html and download the zip file under the old version. This is because the new version requires a password before unzipping.
Once the file has been downloaded, go back to the OpenEMR portal where you had logged the admin in using the credentials.
At the top of the page in the navigation bar, go to Admin->Document Templates->Documents. This will take you to the “Document Template Management" Page
Upload the downloaded zip file in step c under the “Upload a Template” option on the “Document Template Management" page.
Expected behavior
The file should not be allowed to be uploaded because it is a zip bomb and it should be checked and rejected during the upload itself
ZIP Bombs and Large ZIP files are being allowed to be uploaded on the portal
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Client configuration
The text was updated successfully, but these errors were encountered: