I continue to enjoy using Orthanc in a research setting, and appreciate the support of Sebastian, Alain, Osimis, and the community.
I recently read the OWASP 2021 top 10 security concerns, and have a couple questions:
Is there a way to query Orthanc somehow to get the version of openssl that is being used by a given instance (regardless of whether it was statically compiled or linked to an OS-provided versoin)?
What protection exists against database injection, eg, via malicious image headers when Orthanc is being used as a SCP? I’m especially interested in the case of the default db (SQLite).
And, BTW, if you happen to have some test DICOM files which include some ‘risky’ data, please share with us. I’m also interested by those files in the scope of the Orthanc Explorer 2 development. You know, the famous patients named ‘"; DROP table *;’ for SQL injection and ‘alert(0)’ for UI testing … (and all his broters and sisters).
yes, Alain that’s exactly what I am asking about. I agree it would be useful to have a few bad images around. I have not tried but I assume it would be easy to cook up a few using dcmodify to edit field values, like changing patient name to “John; drop table *; Smith” and friends, and maybe also inserting strings into fields that expect numeric, bad series numbers such as negative or very large, and so on. There could be other kinds of badness that dcmodify cannot perform. I don’t know how to do it but inserting null values, negative field sizes, or 4G of binary gibberish might violate some assumptions if the db does not check.
Looking at the code and researching a little: I trust the binding method as used in SetMainDicomTag and elsewhere, because its parameterized. Nice. Testing always has its place, of course. I was able to use dcmodify to mess with header values, but don’t want to post such a file to a public forum.