0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

LH-EHR Authenticated Unrestricted SQL Injection

The Issue

SQL Injections are vulnerabilities in which the developer overly trusts user controlled input. This allows an attacker to perform malicious queries upon the database, which can lead to compromise of all data within the database and question the integrity of the data.

An attacker must be authenticated to perform this attack.

Where the Issue Occurred

The following code snippet shows the SQL query being created with a tainted variable:

$res = sqlStatement("SELECT distinct(group_name) FROM layout_options WHERE " . 
                     "form_id = '".$_GET['layout_id']."' ORDER BY group_name"); 

Source: lh-ehr/interface/super/show_groups_popup.php#L51-L52

The following code snippet show the above-mentioned SQL query being executed:

while ($row = sqlFetchArray($res)) { 

Source: lh-ehr/interface/super/show_groups_popup.php#L53

Disclosure Timeline

  • Issue Reported: 23rd July 2018
  • Issue Resolved: <TBD>
  • Blog Post Published: 8th August 2018
  • Applied for CVE: 8th August 2018