Scribd Logo
Upload

Welcome to Scribd!

  • STH Project Wise Status

    Uploaded by

    shivendra deep
    5 views5 pages

    Original Title

    STH Project Wise Status (2)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views5 pages

    STH Project Wise Status

    Uploaded by

    shivendra deep

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Project Initiated Date Status Last Cycle Date Remarks

    IGIMS Patna 04-Jul-2023 In Hyderabad 23-Nov-2023 Mail By DC to Hyderad Team


    AIIMS Guwahati 27-Feb-2023 On Hold (upto Stage 8 recieved) 27-Jul-2023 Waiting for clearnace of IGIMS
    Patna STH clearance
    AIIMS Gorakhpur 09-Dec-2022 On Hold (upto Stage 6 recieved) 30-May-2023 Waiting for Guwahati Closure
    AIIIMS Kalyani 30-Jan-2023 On Hold (upto Stage 1 recieved) 28-Mar-2023 Waiting for Guwahati Closure
    AIIMS Raipur 17-Jan-2023 On Hold Waiting for Guwahati Closure
    Vulnerability Risk Status Comment Description

    Stage 3 Recieve: 07-Aug-2023 Release: 08-Aug-2023


    Insecure Cryptography Storage High Resolved - ABHA Id Encrypted at all places please verify. Masking cannot be
    done as opaerator need to ask/inform the patient about ABHA Id and
    Also it get printed on OPD Card as-it-is as per ABDM Guideline

    Improper Error Handling Medium Resolved Please verify


    Duplicate Headers Medium Resolved Header Removed. Please verify. Some headers are added twice
    from DC end . Please check and resolve the same
    Vulnerable Package Low Working As per the development team, Jar is inside Temp Folder Path which
    in Not In Use
    Outdated Java Script Library Informational Working Major impact, the latest version will be updated later with application
    enhancement.
    Unimplemented URLs Informational Working Not possible to remove all the URLs inside JS and CSS. The path
    and files are not present in application

    Stage 2 Recieve: 03-Aug-2023 Release: 07-Aug-2023


    Insecure Cryptography Storage High Resolved - ABHA Id Encrypted please verify. Masking cannot be done as
    opaerator need to ask/inform the patient about ABHA Id
    - Billing Cash Collection Mobile No in URL Paramter Resolved
    Default Credentials Medium Resolved Default Credentials are reset to 'Admin@123'
    Business Logic Data Validation Medium Working Phone number can be in 5 to 15. Validation is correct

    HTML form Without CSRF Token Medium Working The Given Token 'abhttf' is working as CSRF token, Please verify
    Improper Error Handling Medium Resolved - Password message coming from ABDM Platform, This is ABDM
    Sandbox Env Issue. Working fine at Production envioremnt
    Duplicate Headers Medium Working Change at DC end. Please remove header adding from server side
    Vulnerable Java Script Library Medium Resolved - JS updated to latest version
    - Server Path removed from JS
    Vulnerable Package Low Resolved Please verify
    Outdated Java Script Library Informational Resolved Please verify
    Unimplemented URLs Informational Resolved Please verify

    Stage 1 Recieve: 31-Jul-2023 Release: 02-Aug-2023


    1 Insecure Cryptography Storage High Not Applicable The Exempted Account Number is not a bank account number and Exempted account number and ABHA
    ABHA Address are shared openly so both not need to be hide or Address is not masked and encrypted
    encrypted
    2 Default Credentials Medium Working Fine These are default passwords. User is forced to change the password Application is using default credentials:
    on Login. sthuser: 123456

    Request you to provide Policy that required to implement, if any.


    3 Business Logic Data Validation Medium Resolved The email id is updated in Hospital Detail email id is not implemented.
    4 Cross-Site Script Inclusion (XSS) Medium Resolved Commented Code is removed Do not comment , Remove the Code
    5 HTML Form Without CSRF Token Medium Working Fine CSRF tokens already validating at server-side processing Here we can see that no CSRF token
    has been implemented against CSRF
    vulnerability
    6 Improper Error Handling Medium Working Fine Message is coming as per ABDM Sandbox Platform, At
    Production working
    7 Improper OTP Implementation Medium Resolved OTP Encrypted in case Aadhaar OTP OTP should be encrypted from the back
    end
    8 Duplicate Header Medium Resolved Verified all headers same now Ensure each header has a unique
    name and is sent only onc
    9 OTP is submitted using GET method Medium Resolved Not allowed GET for otp actions POST to GET Converted and working
    10 Vulnerable JavaScript Medium Working Fine Both JS are updated version /HIS/hisglobal/js/jquery-ui.js
    jquery-ui.js ( 1.13) /HIS/hisglobal/js/moment.min.js
    moment.min.js (2.27)
    11 Cross-Site Request Forgery (CSRF) Low Resolved Header changes not in use and not affecting any workflow Use CSRF tokens, implement
    SameSite attribute, and check Origin or
    Referer header to prevent CSRF
    attacks exploiting Referer header
    12 Vulnerable Package Low Not Applicable Jar is inside Temp Folder Path which in Not In Use Apache Log4j 2.x < 2.13.2 Information
    Disclosure Vulnerability - Linux
    13 Outdated Java Script Library Informational Not Applicable The JS version will be updated later in application as having major bootstrap 4.0.0.
    changes.
    14 Unimplemented URL Informational Resolved Removed Unimplemented from Login Page 404 URL are present

    You might also like