CVE-2020-23829
Description
interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerability, allowing remote attackers to achieve remote code execution (RCE) on the hosting webserver by uploading a maliciously crafted image.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR 2.0.0 allows authenticated remote code execution via a file upload vulnerability in new_comprehensive_save.php.
Vulnerability
The interface/new/new_comprehensive_save.php script in LibreHealth EHR version 2.0.0 does not properly validate uploaded files. An authenticated user can upload a file with arbitrary content, including PHP code, by crafting a malicious image file (e.g., a PHP script with a valid image header). The file is stored in a web-accessible directory, allowing direct execution. [1][2]
Exploitation
An attacker must have valid credentials to the LibreHealth EHR application. After logging in, they navigate to the patient record creation or update functionality that triggers the upload. The attacker uploads a file containing PHP code, often disguised as an image by prepending a valid image header. The file is saved with a .php extension or can be accessed via the web server. The attacker then sends a request to the uploaded file, which executes the embedded PHP code. [1][2]
Impact
Successful exploitation results in remote code execution on the underlying web server with the privileges of the web server user. This can lead to full compromise of the LibreHealth EHR application, including access to patient data, database credentials, and potential lateral movement within the network. [1][2]
Mitigation
No official patch has been released for this vulnerability as of the publication date (2020-09-01). Users should restrict access to the interface/new/new_comprehensive_save.php endpoint, implement strict file type validation, and consider using a web application firewall. Upgrading to a later version of LibreHealth EHR may address the issue, but no specific fixed version is mentioned in the references. [1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/LibreHealth EHRdescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file content validation in the avatar upload functionality allows a PHP file disguised as a PNG image to be uploaded and executed."
Attack vector
An attacker must first authenticate to the LibreHealth EHR application with valid credentials [ref_id=1]. The attacker then sends a POST request to `interface/new/new_comprehensive_save.php` with a file that contains PHP code prefixed by PNG magic bytes (`\x89\x50\x4e\x47\x0d\x0a\x1a`) and a `Content-Type` of `image/png` [ref_id=1]. The server accepts the file and stores it under `sites/default/profile_pictures/` with a `.php` extension, making it accessible as a webshell [ref_id=1]. The attacker can then send arbitrary commands via the `telepathy` POST parameter to achieve remote code execution [ref_id=1].
Affected code
The vulnerable endpoint is `interface/new/new_comprehensive_save.php` in LibreHealth EHR 2.0.0 [ref_id=1]. The file upload handler does not validate the actual content of uploaded files, allowing a file with a `.php` extension to be submitted even when the MIME type is set to `image/png` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation guidance; it only describes the exploit. To close this vulnerability, the application should validate uploaded files by inspecting their true content (e.g., using PHP's `getimagesize()` or `finfo` functions) rather than trusting the MIME type or file extension, and should store uploaded files outside the web root or serve them with a non-executable content type.
Preconditions
- authAttacker must have valid credentials to authenticate to LibreHealth EHR
- configThe target server must be running LibreHealth EHR 2.0.0
- networkAttacker must have network access to the LibreHealth web interface
- inputThe uploaded file must contain PNG magic bytes followed by PHP code
Reproduction
1. Authenticate to LibreHealth EHR at `interface/login/login.php` with valid credentials. 2. Send a POST request to `interface/new/new_comprehensive_save.php` with a file named `kaio-ken.php` containing `\x89\x50\x4e\x47\x0d\x0a\x1a\n` followed by `\x3c?php echo shell_exec($_REQUEST["telepathy"]); ?>` and set the MIME type to `image/png`. 3. The server stores the file at `sites/default/profile_pictures/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/48702mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.