CVE-2018-1000648

Vulnerability

CVE-2018-1000648 is an authenticated unrestricted file write vulnerability in LibreHealthIO lh-ehr version REL-2.0.0. The bug resides in the letter.php file within the patient file letter functions. The code uses fopen("$template_dir/".$_POST['newtemplatename'], 'w') at line 254 and fwrite($fh, $temp_bodytext) at line 260 without proper validation of the file name or content, allowing an attacker to write or overwrite arbitrary files in directories accessible by the web server user [1][2].

Exploitation

An attacker must be authenticated to exploit this vulnerability. By crafting a POST request to interface/patient_file/letter.php with a newtemplatename parameter that includes a path traversal (e.g., ../evil.php) and a temp_bodytext parameter containing malicious PHP code, the attacker can write a file to any writable location on the server (e.g., the web root or an accessible directory) [1][2].

Impact

Successful exploitation allows the attacker to write files with arbitrary content, including PHP web shells. This can result in remote code execution (RCE) under the context of the web server user, leading to full compromise of the application and potentially the underlying server [1][2].

Mitigation

As of the available references, no patched version has been released for lh-ehr; the issue was reported but not resolved as of the disclosure timeline [1][2]. Security administrators should restrict write permissions on the web server, apply input validation on the newtemplatename parameter (e.g., disallow path traversal characters), and monitor for unauthorized file creation. Users should consider upgrading to any future fixed version when available.