Impact

Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack.

Patches

DHIS2 administrators should upgrade to the following hotfix releases:

• 2.36.12.1
• 2.37.8.1
• 2.38.2.1
• 2.39.0.1

Workarounds

Add the following simple CSP rule in your web proxy to the vulnerable endpoints: script-src 'none'

If you're using nginx, you can apply the following code to your DHIS2 location (usually under /etc/nginx/upstream):

location ~ (/documents/|/fileResources/[0-9a-zA-Z]+/data|/events/files|/dataValues/files|/externalFileResources/|/trackedEntityInstances/[0-9a-zA-Z]+/[0-9a-zA-Z]+/image|/messageConversations/[0-9a-zA-Z]+/[0-9a-zA-Z]+/attachments/) {
  add_header Content-Security-Policy "script-src 'none' ;" always;
  proxy_pass                http://<ip-of-DHIS2>:<port>;
}

Replace the <ip-of-DHIS2-instance>:<port> with the IP and port of the server or container running DHIS2 only.
Then restart nginx.

For Apache, assuming it's already configured as reverse proxy, you have to enable the headers module:

$ sudo a2enmod headers

Then add the following in your default website configuration:

<Location  ~ "(/documents/|/fileResources/[0-9a-zA-Z]+/data|/events/files|/dataValues/files|/externalFileResources/|/trackedEntityInstances/[0-9a-zA-Z]+/[0-9a-zA-Z]+/image/messageConversations/[0-9a-zA-Z]+/[0-9a-zA-Z]+/attachments/)" >
    Header set Content-Security-Policy "script-src 'none';"
</Location>

Restart apache.

References

• https://owasp.org/www-community/attacks/xss/

For more information

If you have any questions or comments about this advisory, email us at [email protected]