LH-EHR Authenticated Unrestricted SQL Injection
The Issue
SQL Injections are vulnerabilities in which the developer overly trusts user controlled input. This allows an attacker to perform malicious queries upon the database, which can lead to compromise of all data within the database and question the integrity of the data.
An attacker must be authenticated to perform this attack.
Where the Issue Occurred
The following code snippet shows the SQL query being created with a tainted variable:
$res = sqlStatement("SELECT distinct(group_name) FROM layout_options WHERE " .
"form_id = '".$_GET['layout_id']."' ORDER BY group_name");
Source: lh-ehr/interface/super/show_groups_popup.php#L51-L52
The following code snippet show the above-mentioned SQL query being executed:
while ($row = sqlFetchArray($res)) {
Source: lh-ehr/interface/super/show_groups_popup.php#L53
Disclosure Timeline
- Issue Reported: 23rd July 2018
- Issue Resolved:
<TBD>
- Blog Post Published: 8th August 2018
- Applied for CVE: 8th August 2018