New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticated Local File Disclosure in import_template.php #1210
Comments
|
does the authenicated user needed to be admin or normal user @prodigysml |
|
I'm unsure about that.
…On Mon, 23 Jul 2018, 10:03 PM naveen ***@***.***> wrote:
does the authenicated user needed to be admin or normal user @prodigysml
<https://github.com/ProDigySML>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1210 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AQNZ06gwPg-9_yPDFHVrAdC8fHxGy_Faks5uJbuOgaJpZM4Va1QQ>
.
|
|
A normal authenticated user should suffice as far as I know. |
|
It is an easy test, aside from just looking at the code.
Unauthorized access is one thing. Please help us smash those down. It is an easy test, aside from just looking at the code.
Unauthorized access is one thing. Please help us smash those down. |
|
Don't get me wrong: |
|
I think this may be a patient uploading a file within the patient portal. I will also state that I have never done a security review of this particular module. That said, the best way to test what a patient logging into the patient portal system can do. The other theory is that this is to upload form template files for the patient to use, which is an admin feature. I would have to check more, as looking at the single file isn't doing it for me. |
|
@aethelwulffe "Local file disclosure is a vulnerability which allows an attacker to disclose the contents of files on the server. An attacker can use this vulnerability to disclose the contents of sensitive files like /etc/passwd, config files, etc.", |
|
@naveen17797 and @prodigysml GSoC is finishing up and theses fixes would be good first commits for @prodigysml If they would like to contribute and help us out. |
|
@aethelwulffe I've confirmed this is possible when using a session token obtained with 'physician' privileges which as I understand, is not a 'super admin'. I'm unable to test from the perspective of a patient, as the patient portal doesn't work in the 2.0.0 release, nor when cloning from the repo at this point in time. |
|
I was just playing with the patient portal the other day @C-Sto . No, "Physician" isn't admin, though it is treated as a pretty high level access, often including the ability to do certain admin tasks...but there should be a specific ACL group that is allowed to modify the templates. If the templates are able to execute a wide range of code, yet must be capable of being modified, this should be an ACL config item at least. The main issue is if a patient can access the template functions, which I do not believe they can. |
|
@aethelwulffe Patient portal registration is broken in the current repo version lh-ehr/patient_portal/account/register.php Line 492 in 5b5f427
'patientdata' page does not exist. What is the most recent release that has a working patient portal? Or what can I do to manually set up a patient that can interact with the portal? |
|
You must configure the location in globals/patient portal
…On 2018-08-13 13:33, C_Sto wrote:
@aethelwulffe <https://github.com/aethelwulffe> Patient portal
registration is broken in the current repo version
https://github.com/LibreHealthIO/lh-ehr/blob/5b5f427c4742f901e426f17325fb0aaf8209e0bb/patient_portal/account/register.php#L492
'patientdata' page does not exist. What is the most recent release
that has a working patient portal? Or what can I do to manually set up
a patient that can interact with the portal?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1210 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAhzF2P4qamzbd6oS3bM7IdBzJybGJ2Lks5uQbhhgaJpZM4Va1QQ>.
|
|
Do you plan to address this vulnerability? |
|
|
@wisdommatt Can you link to the fixing commit please? |
The issue has been opened since 2018 and if you cross check the code now you will notice it has already been fixed. |
|
@wisdommatt There are no commits for import_template.php since the original commit (half a year before this issue). The latest version released is 2.0.0 in 2017. Searching for terms from this ticket that might appear in commit notes yields nothing. There is no readily available way to figure out where this was fixed, that's why I asked for a pointer. |
|
@wisdommatt , following @attritionorg reply. there is indeed no way to pinpoint where the issue was fixed and we were hoping that you could steer us in the right direction. Cheers and have a nice weekend ! |

The Issue
Local file disclosure is a vulnerability which allows an attacker to disclose the contents of files on the server. An attacker can use this vulnerability to disclose the contents of sensitive files like
/etc/passwd, config files, etc.In lh-ehr, an attacker must be authenticated to perform this attack. Should the attacker know the path to a file and the web server user has sufficient access to read the file, the contents of the file will be echoed in the page.
Where the Issue Occurred
The following code snippet displays the usage of the
file_get_contentsfunction in PHP within the lh-ehr application:lh-ehr/patient_portal/import_template.php
Line 24 in cacaa71
The text was updated successfully, but these errors were encountered: