0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

LH-EHR Authenticated Unrestricted File Write in letter.php

The Issue

Unrestricted file write vulnerabilities allow attackers to write file such as PHP files, in locations where the web server user has access to write. This may allow an attacker to write files with malicious content and may lead to remote code execution.

An attacker must be authenticated to perform this attack.

Where the Issue Occurred

The following code snippet displays the usage of the fopen function in PHP within the lh-ehr application:

$fh = fopen("$template_dir/".$_POST['newtemplatename'], 'w'); 

Source: lh-ehr//interface/patient_file/letter.php#L254

This creates or overwrites a file that the web server user has access to. The following code snippet displays writing user controlled content within the user controlled file:

if (! fwrite($fh, $temp_bodytext)) { 

Source: lh-ehr//interface/patient_file/letter.php#L260

Disclosure Timeline

  • Issue Reported: 23rd July 2018
  • Issue Resolved: <TBD>
  • Blog Post Published: 7th August 2018
  • Applied for CVE: 8th August 2018