# HG changeset patch # User Sebastien Jodogne # Date 1498578919 -7200 # Node ID 4a8df7a0d0b9f455c062e1e999afda9509ce244c # Parent 5b6812f8cc38f69f874507d93bb5b97491f6ee80 sample file to test XSS inside DICOM in Orthanc Explorer diff -r 5b6812f8cc38 -r 4a8df7a0d0b9 Database/2017-06-27-XSSInjection.dcm Binary file Database/2017-06-27-XSSInjection.dcm has changed diff -r 5b6812f8cc38 -r 4a8df7a0d0b9 Database/2017-06-27-XSSInjection.txt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/Database/2017-06-27-XSSInjection.txt Tue Jun 27 17:55:19 2017 +0200 @@ -0,0 +1,21 @@ +Stored Cross Site Scripting (XSS) +--------------------------------- + +- Application: Orthanc (1.2.0) +- Researcher: Victor Pasnkel (Morphus Labs) +- XSS inside DICOM file (metadata) +- File can be uploaded to the Web application +- Tested on: OSX El Capitan (10.11.6) + +Source: +https://drive.google.com/open?id=0B5BZfMPc1T-Ib004SExMZXFNSDg + + +Generation of sample file +------------------------- + +# cp DummyCT.dcm 2017-06-27-XSSInjection.dcm +# dcmodify -m 'PatientName=HelloWorld' \ + -m 'StudyDescription=MyStudy' \ + -m 'SeriesDescription=MySeries' \ + 2017-06-27-XSSInjection.dcm