CVE-2011-5161

Name of the Vulnerable Software and Affected Versions OpenEMR version 4

Description The issue concerns an unrestricted file upload vulnerability in the patient photograph functionality. This allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, and then accessing it via a direct request to the patient directory under documents/.

Recommendations For OpenEMR version 4, restrict file uploads to only allow safe extensions and consider implementing validation to prevent uploading files with executable content. As a temporary workaround, consider restricting access to the patient directory under documents/ to minimize the risk of exploitation.