CVE-2018-1000649

Vulnerability

The vulnerability exists in lh-ehr//interface/patient_file/letter.php at line 278, where the fopen() function writes to a file path constructed from user-controlled $_POST['form_template'] without proper sanitization. The file content is also user-controlled via $temp_bodytext (line 284). This allows an authenticated attacker to write arbitrary files, including PHP scripts, to any location writable by the web server. Affected version: REL-2.0.0 [1][2].

Exploitation

An attacker must be authenticated to the application. They can craft a POST request to letter.php with a form_template parameter containing a path traversal (e.g., ../../some/path/shell.php) and a temp_bodytext parameter containing malicious PHP code. The server will write the file to the specified location. No additional user interaction is required beyond authentication [1][2].

Impact

Successful exploitation allows the attacker to write arbitrary files with malicious content, such as a PHP web shell, leading to remote code execution on the server. The attacker gains the same privileges as the web server user, potentially compromising the entire application and underlying system [1][2].

Mitigation

As of the disclosure timeline (July 2018), no fix had been released. The issue was reported on 23 July 2018 and remains unresolved in the available references. Users should restrict access to the affected endpoint, apply input validation, and monitor for updates from LibreHealthIO. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].