Skip to content

Authenticated Unrestricted File Write in letter.php #1213

New issue
New issue
Open
#1571
Open
Authenticated Unrestricted File Write in letter.php#1213
#1571
Labels
Web SecurityWhite Hat Reports, Cross Site SQL Injection, etc
@prodigysml

Description

@prodigysml
prodigysml
opened on Jul 23, 2018

The Issue

Unrestricted file write vulnerabilities allow attackers to write file such as PHP files, in locations where the web server user has access to write. This may allow an attacker to write files with malicious content and may lead to remote code execution.

An attacker must be authenticated to perform this attack.

Where the Issue Occurred

The following code snippet displays the usage of the fopen function in PHP within the lh-ehr application:

lh-ehr/interface/patient_file/letter.php

Line 254 in cacaa71

$fh = fopen("$template_dir/".$_POST['newtemplatename'], 'w');

This creates or overwrites a file that the web server user has access to. The following code snippet displays writing user controlled content within the user controlled file:

lh-ehr/interface/patient_file/letter.php

Line 260 in cacaa71

if (! fwrite($fh, $temp_bodytext)) {

Metadata

Metadata

Assignees

No one assigned

    Labels

    Web SecurityWhite Hat Reports, Cross Site SQL Injection, etc

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions