Mercurial > hg > orthanc-book
changeset 944:1e0f49aa75f3
security
author | Alain Mazy <am@osimis.io> |
---|---|
date | Wed, 26 Apr 2023 08:35:35 +0200 |
parents | e5bfa890c265 |
children | 11d7d30ca273 |
files | Sphinx/source/faq/security.rst |
diffstat | 1 files changed, 5 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/Sphinx/source/faq/security.rst Mon Apr 24 11:35:14 2023 +0200 +++ b/Sphinx/source/faq/security.rst Wed Apr 26 08:35:35 2023 +0200 @@ -114,9 +114,11 @@ end Very importantly, make sure to protect ``POST`` access to the - ``/tools/execute-script`` URI. This URI can indeed be used by a - malicious user to execute any system command on the computer as the - user that runs Orthanc. + ``/tools/execute-script`` and ``/instances/../export`` URIs. + The first URI can indeed be used by a malicious user to execute any + system command on the computer as the user that runs Orthanc. The second + URI can be used by a malicious user to overwrite system files possibly + with malicious DICOM files that may lead to execution of system commands. * Consider implementing a :ref:`higher-level application <improving-interface>` (e.g. in PHP, Java, Django...) that takes