changeset 110:4a8df7a0d0b9

sample file to test XSS inside DICOM in Orthanc Explorer
author Sebastien Jodogne <s.jodogne@gmail.com>
date Tue, 27 Jun 2017 17:55:19 +0200
parents 5b6812f8cc38
children 7005cdeeb704
files Database/2017-06-27-XSSInjection.dcm Database/2017-06-27-XSSInjection.txt
diffstat 2 files changed, 21 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
Binary file Database/2017-06-27-XSSInjection.dcm has changed
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/Database/2017-06-27-XSSInjection.txt	Tue Jun 27 17:55:19 2017 +0200
@@ -0,0 +1,21 @@
+Stored Cross Site Scripting (XSS)
+---------------------------------
+
+- Application: Orthanc (1.2.0)
+- Researcher: Victor Pasnkel (Morphus Labs)
+- XSS inside DICOM file (metadata)
+- File can be uploaded to the Web application
+- Tested on: OSX El Capitan (10.11.6)
+
+Source:
+https://drive.google.com/open?id=0B5BZfMPc1T-Ib004SExMZXFNSDg
+
+
+Generation of sample file
+-------------------------
+
+# cp DummyCT.dcm 2017-06-27-XSSInjection.dcm
+# dcmodify -m 'PatientName=HelloWorld<script>alert("XSS inside DICOM file 1");</script>' \
+           -m 'StudyDescription=MyStudy<script>alert("XSS inside DICOM file 2");</script>' \
+           -m 'SeriesDescription=MySeries<script>alert("XSS inside DICOM file 3");</script>' \
+           2017-06-27-XSSInjection.dcm