0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

LH-EHR Authenticated Unrestricted File Deletion

The Issue

Unrestricted file deletion vulnerabilities are caused by overly trusting a user’s input and allowing the user to manipulate the path of the file to be deleted. This may allow an attacker to create a denial of service scenario.

An attacker must be authenticated to perform this attack.

Where the Issue Occurred

The following code snippet displays the usage of the unlink function in PHP within the lh-ehr application:

unlink($_POST['docid']); 

Source: lh-ehr/patient_portal/import_template.php#30

Disclosure Timeline

  • Issue Reported: 23rd July 2018
  • Issue Resolved: <TBD>
  • Blog Post Published: 7th August 2018
  • Applied for CVE: `8th August 2018