Dec 15 2008

Encompass Web PACS Forced Browsing Vulnerability

nGenuity Information Services – Security Advisory

 Application: Encompass Web PACS
      Vendor: AGFA Heartlab
      Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
      CVE-ID: (PENDING CERT NOTIFIED)

  I. BACKGROUND
     Heartlab Encompass Web PACS is a web application used to remotely access
     and manage echocardiogram patient data. To conform with HIPAA regulations
     access to this data should be password protected.

 II. DESCRIPTION
     Authentication to PACS patient information can be bypassed by navigating
     to the SessionStart.asp page. This page sets up an anonymous user session
     and gives access to all patient records. 

III. DETAILS
     Patient data and records are available by navigating to URL similar to

https://pacs.example.com/thinclient/SessionStart.asp

     no authentication is required.

 IV. VENDOR
     The vendor has been notified and there is a patch available to address this vulnerability.

Copyright (c) 2008 nGenuity Information Services, LLC

Tags: , , ,

Filed in Advisories, Healthcare, Web Application Security | Adam Baldwin

WordPress Themes