0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

LH-EHR Authenticated Local File disclosure

The Issue

Local file disclosure is a vulnerability which allows an attacker to disclose the contents of files on the server. An attacker can use this vulnerability to disclose the contents of sensitive files like /etc/passwd, config files, etc.

In lh-ehr, an attacker must be authenticated to perform this attack. Should the attacker know the path to a file and the web server user has sufficient access to read the file, the contents of the file will be echoed in the page.

Where the Issue Occurred

The following code snippet displays the usage of the file_get_contents function in PHP within the lh-ehr application:

echo file_get_contents($_POST['docid']); 

Source: lh-ehr/patient_portal/import_template.php#24

Disclosure Timeline

  • Issue Reported: 23rd July 2018
  • Issue Resolved: <TBD>
  • Blog Post Published: 5th August 2018
  • Applied for CVE: 8th August 2018