CVE-2018-1000839

Vulnerability

LH-EHR version REL-2_0_0 contains an arbitrary file upload vulnerability in the profile picture upload functionality ([1], [2]). The issue occurs in interface/patient_file/summary/demographics.php at line 1735, where a file is moved to the profile_pictures directory using move_uploaded_file with the extension derived from the uploaded file's name, without proper validation of file content. The MIME type check relies on the Content-Type header, which is attacker-controlled, allowing a PHP file to be uploaded with an image MIME type ([1], [2]).

Exploitation

An attacker must be an authenticated user with sufficient privileges to upload a profile picture. Any valid user can perform this attack ([1], [2]). The attacker sends a POST request to demographics.php with a set_pid parameter and a file named with a .php extension and a MIME type such as image/png. The file is saved to the profile_pictures/ directory with the patient ID as the filename and php extension. The attacker can then access the uploaded file via HTTP to execute arbitrary PHP code ([1], [2]).

Impact

Successful exploitation allows remote code execution as the web server user (www-data), leading to full compromise of the server and access to sensitive patient data ([1], [2]).

Mitigation

No official fix has been released as of the publication date. The issue remains unresolved in the GitHub repository ([2]). A possible workaround is to disable the profile picture upload feature or restrict execution of PHP files in the profile_pictures/ directory via web server configuration. However, no vendor-provided mitigation exists.