Web Application is Vulnerable to Arbitrary File Upload



FedBizOppsSources Sought Notice*******CLASSIFICATION CODESUBJECTCONTRACTING OFFICE'S ZIP-CODESOLICITATION NUMBERRESPONSE DATE (MM-DD-YYYY)ARCHIVE DAYS AFTER THE RESPONSE DATERECOVERY ACT FUNDSSET-ASIDENAICS CODECONTRACTING OFFICE ADDRESSPOINT OF CONTACT(POC Information Automatically Filled from User Profile Unless Entered)DESCRIPTIONSee AttachmentAGENCY'S URLURL DESCRIPTIONAGENCY CONTACT'S EMAIL ADDRESSEMAIL DESCRIPTION ADDRESSPOSTAL CODECOUNTRYADDITIONAL INFORMATIONGENERAL INFORMATIONPLACE OF PERFORMANCE* = Required FieldFedBizOpps Sources Sought NoticeRev. March 2010DTAC-17-37771 - 18F Micro-Purchase Digital Auction Services07724VA118-17-N-183212-23-20161514541519Department of Veterans AffairsTechnology Acquisition Center23 Christopher WayEatontown NJ 07724Peter Lewandowskipeter.lewandowski@peter.lewandowski@peter.lewandowski@REQUEST FOR INFORMATIONTAC-17-37771 - Micro-Purchase Digital Auction Platform ServicesThe purpose of this Sources Sought Notice is to search for qualified service-disabled Veteran-owned small business and Veteran-owned small business vendors capable of meeting the requirements to provide digital services and product features through the use of auctions on a digital auction platform to the Department of Veterans Affairs (VA).This is a Request for Information (RFI) only and shall not be considered an Invitation for Bids, Request for Quotations, or a Request for Proposals. This market research is issued for information and planning purposes only and does not constitute a solicitation nor does it restrict the Government as to the ultimate acquisition approach. It is based upon the best information available and is subject to future modification. This request does not commit VA to contract for any supply or service whatsoever. VA is not, at this time, seeking proposals and will not accept unsolicited proposals. Responders are advised that VA will not pay for any information or administrative costs incurred in response to this RFI; all costs associated with responding to this RFI will be solely at the responder’s expense. Not responding to this RFI does not preclude participation in any future RFP, if any is issued. Any information submitted by respondents to this RFI is strictly voluntary. Responders are fully responsible for adequately marking proprietary, restricted, or competition sensitive information contained in their response. All submissions become Government property and will not be returned. Overview:VA intends on entering into an Interagency Agreement (IAA) with the General Services Administration (GSA) will provide the framework for GSA to provide digital services focused on the interaction between Government and small business through their 18F open source market place. GSA will deliver digital services and product features through the use of auctions on the 18F digital auctions platform. 18F Micro-purchase functions as a reverse auction house. VA will submit micro-purchase requirements to 18F and 18F will solicit quotes from vendors through the 18F digital auctions platform. Vendors will evaluate auctions, review source code associated with that auction, and submit their quotes. At the end of each auction, the winning vendor will deliver their work in accordance with GSA’s policy. GSA 18F will support VA in scoping the requirements, and will identify acceptance criteria, run the auction, supervise delivery of the requirement, and evaluate the deliverable.Please see the attached Statement of Work (SOW) for additional information and details. How to Respond:Interested parties are encouraged to reply to this RFI no later than (9:00 AM Eastern Time, December 23, 2016 by email to Peter Lewandowski, peter.lewandowski@. Capability Statement – No more than 10 pages. Please describe current capabilities related to digital auction services, as well as company experience in meeting SOW requirements. As stated above, interested parties are advised to note key requirements in SOW. Please include the following descriptive information in your capability statements: name of company, point of contact, telephone number, email address; company address, size of business, and GSA schedules if ments and Feedback – no more than 10 pages. Interested parties are encouraged to respond to this RFI with their comments, concerns, questions and overall feedback. Additionally, please indicate whether the requirement is sufficiently detailed and clear for your comprehensive response. If not, propose your suggested changes. Statement of WorkThe General Services Administration (GSA)Office of Citizen Services Innovative Technologies /18FandVHA Innovation Program, Office of Connected Care 10P81.0.BACKGROUNDThe U.S. General Services Administration (GSA), the Servicing Agency, through its Office of Citizen Services Innovative Technologies and 18F, builds effective, user-centric digital services focused on the interaction between Government and the people and businesses it serves. 18F helps agencies deliver on their mission through the development of digital and web services. Our mission is to transform the way the government builds and buys information technology (IT) with an emphasis on public-facing digital services. One of the ways 18F offers assistance to other agencies is through Acquisition Services whereby 18F provides hands-on, acquisition-oriented consulting services to Federal program managers and other leaders who need assistance in procuring software that uses modern development methodologies and techniques, such as agile, lean, open source. For purposes of this Statement of Work (SOW), the Requesting Agency is the Veterans Health Administration (VHA) Innovation Program, Office of Connected Care 10P8. The Requesting Agency requires the services of GSA through 18F to assist in the development of additional products and features. Through this agreement, GSA will deliver digital services and product features through the use of auctions on the 18F digital auctions platform. To do so, 18F will support VHA Innovation Program in scoping the requirements, and will identify of acceptance criteria, run the auction, supervise the delivery of the requirement, and evaluate the deliverable. The performance period from close of auction to evaluation of the deliverable will ideally last one week, but may go longer if the scoping determines that it is necessary. If the deliverable does not meet the acceptance criteria, the auction may be rerun at the discretion of the Requesting Agency.2.0 SCOPE OF WORK and DELIVERABLES18F will provide the Requesting Agency with the following:Undertake an initial discovery sprint to scope the auction and create a draft auction;Conduct an auction; Oversee the delivery of the solution acquired under the auction(s)Evaluate the deliverable submitted by the vendor;Deliver a final product feature for applications identified by the VHA innovation program. The auctions selected will consist of projects originated from the Department of Veteran Affairs (VA) Office of Connected Care. Projects selected for auctions are geared towards enhancing health care coordination across VA and supporting Veterans’ participation in their own care. Examples of two possible VA requirements for auction are: Auction 1: Updating Web application data in the Chemotherapy Order Management System (COMS) tool.Background: COMS is a comprehensive web-based application that aims to support oncology care teams in automated ordering, preparing, and documenting the administration of chemotherapy treatment to Veterans. Current State: A Web Application Security Assessment was conducted to identify common vulnerabilities and determine the likelihood that a malicious individual could obtain unauthorized access to the application, data, or other network resources. During testing, seven findings were identified that require correction. Tasks required: Correction to the application based on recommendation required or removal of affected websites/data file currently affecting the web application. IssueFindingTaskSecurity MisconfigurationWeb Application is Vulnerable to Arbitrary File UploadAffected websites: support and feedback pages do not restrict the type of file that can be uploaded.Remove data files identified in the affected websitesFailure to Restrict URL AccessWeb Application does not Enforce Authorization & Authentication on Some PagesAffected websites: Remove data files identified in the affected websitesSecurity MisconfigurationSensitive Information Available On Github Repository Affected websites: information for the application is available on Github repository:Application source code that lets attackers know of serious security vulnerabilities that exist on GitHub. Application admin credentials embedded in codeApplication system component Internet Protocol (IP) addresses Available application system services (ssh) and associated credentialsApplication system infrastructure credentialsRemove COMS admin credentials, usernames, passwords, hostnames/IP-addresses and all other sensitive information from GitHub repository.Security MisconfigurationMDWS Being UsedAffected websites: web application uses MDWS Meadows as its web service. This web service is used to access Vista patient Personally Identifiable Information (PII). This web service has known critical vulnerabilities that allow anonymous attackers to gain access to PII patient data.Remove the use of MDWS and associated MDWS framework to access patient PII.Insufficient Transport Layer ProtectionWeb Service and PII Are Available Unencrypted Over HTTPAffected websites: web service is available unencrypted over HTTP (port 80) and transmits PII without using Secure Socket Layer/Transport Security (SSL/TLS).Request SSL/TLS Certs via the following site: Query Language (SQL) InjectionAffected websites: fid parameter on the update.php page is vulnerable to SQL injection. SQL injection vulnerabilities allow hackers to extract data that may or may not be sensitive from the backend database server. The SQL injection attacks are executed using the same credentials that the web application uses to display and process data on the web application.Delete the support directory file identified in the affected websiteCross-Site Scripting (XSS)Web Application is Vulnerable to Reflected POST XSS AttacksAffected websites: /support/update.php?fid=1 &TrackNumber=1The web application does not properly sanitize all user input and output. Variables sent via an HTTP POST method can be modified to include malicious JavaScript that will be executed on the victim's web browser. This type of attack is not persistent and will only affect the user that is being targeted. Remove data files identified in the affected websitesAuction 2: Correction of broken authentication and session management within the COMS tool.Background: COMS is a comprehensive web-based application that aims to support oncology care teams in automated ordering, preparing, and documenting the administration of chemotherapy treatment to Veterans. Current State: A Web Application Security Assessment was conducted on month/year to identify common vulnerabilities and determine the likelihood that a malicious individual could obtain unauthorized access to the application, data, or other network resources. During testing, two findings were identified that require correction. Tasks required: Correction to the application based on recommendation required or removal of affected websites/data file currently affecting the web application. IssueFindingTaskBroken Authentication and Session ManagementSession FixationAffected websites: fixation allows an attacker to set session information for the victim and hijack the user’s session.Do not allow variables in the GET request to set session cookies. Make sure that each creation of a session cookie is unique. See the following links for more information: for more information Authentication and Session ManagementWeb Application Sessions Do Not ExpireAffected websites: PHPSESSID session cookie does not expire.Expire session IDs on the server after 15 minutes of inactivity. Sessions must be expired on the server, not by setting LOGGEDOFF or EXPIRED in the browsers cookie.Please refer to the following website for more information: 3.0 DELIVERABLE TIMELINEThe Servicing Agency shall deliver to the Requesting Agency the following:ItemDue ByMicro-purchase auctionsAt a date mutually agreed upon by both parties.Evaluation of auction deliverables< 7 business days from completion of auction4.0.PROJECT STATUS AND REPORTINGGSA 18F will provide a status of key milestones on a weekly basis, including recent accomplishments, planned activities, and risks and issues. A financial accounting will be included at least monthly based upon the requested services. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download