CVE-2018-1000647

Vulnerability

LibreHealthIO lh-ehr version REL-2.0.0 contains an authenticated unrestricted file deletion vulnerability in the patient_portal/import_template.php file. The application uses the PHP unlink() function on line 30 with the user-controlled parameter $_POST['docid'] without proper validation or sanitization, allowing an authenticated attacker to delete arbitrary files on the server [1] [2].

Exploitation

An attacker must first authenticate to the lh-ehr application. The attacker can then craft an HTTP POST request to import_template.php with a manipulated docid parameter containing an arbitrary file path (e.g., using directory traversal sequences such as ../) to delete unintended files. The attack requires only standard user privileges; no additional interaction or elevated access is needed [1] [2].

Impact

Successful exploitation enables the attacker to delete any file on the server that the web server user has permission to remove. This can result in deletion of critical application files, configuration files, or log files, leading to a denial of service condition. The vulnerability does not allow reading or modifying file contents; it is limited to file deletion [1] [2].

Mitigation

As of the published references (August 2018), no official fix had been released; the issue was reported on 23 July 2018 and was listed as "Issue Resolved: " in the disclosure timeline [1]. The project maintainers have been informed [2]. A workaround would involve sanitizing the docid input to restrict deletion to a specific safe directory, or applying proper path validation before calling unlink(). Users should monitor the project's GitHub repository for a patched release.