CVE-2018-1000646

Vulnerability

LibreHealthIO LH-EHR version REL-2.0.0 [1] contains an authenticated unrestricted file write vulnerability in the patient_portal/import_template.php script. The code uses file_put_contents($_POST['docid'], $_POST['content']) without validation, allowing an authenticated attacker to write arbitrary files to the web server [2].

Exploitation

An attacker must be authenticated to the application [1][2]. The attacker can then send a POST request to import_template.php with the docid parameter set to the desired file path (e.g., a PHP file in the web root) and the content parameter containing malicious PHP code. The server will write the file using file_put_contents [2].

Impact

Successful exploitation allows the attacker to write arbitrary files, including PHP scripts, to the web server's accessible directories. This can lead to remote code execution (RCE) with the privileges of the web server user [1][2].

Mitigation

As of the published advisory (August 2018), no fix has been released [1][2]. The issue is tracked on GitHub [2]. Users should monitor for updates and consider restricting access to the import functionality or applying input validation as a workaround. The vulnerability is not listed in CISA's KEV as of the knowledge cutoff.