CVE-2018-1000645

Vulnerability

An authenticated local file disclosure vulnerability exists in LibreHealthIO lh-ehr versions prior to REL-2.0.0. The issue is in the import_template.php script, specifically in the line echo file_get_contents($_POST['docid']); [1][2]. The docid POST parameter is directly passed to file_get_contents(), allowing an attacker to read any file on the server that the web server user has access to.

Exploitation

An attacker must be authenticated to the lh-ehr application. By sending a POST request to import_template.php with the docid parameter set to the absolute path of a target file (e.g., /etc/passwd), the contents of the file are echoed in the response [1][2]. No user interaction is required beyond authentication.

Impact

Successful exploitation allows disclosure of sensitive files on the server, such as /etc/passwd, configuration files, or other readable resources. This can lead to further compromise of the system if credentials or configuration secrets are exposed.

Mitigation

As of the publication of this CVE, no patched version has been released. The issue was reported in July 2018, but the resolution status remains pending [1][2]. Users should monitor the project's repository for updates and consider limiting access to the vulnerable script until a fix is available.