Security issue

Forum for questions and support relating to the 1.25.x releases only.
tibbs
Posts: 14
Joined: Tue Oct 02, 2007 7:22 pm

Security issue

Postby tibbs » Fri Jan 25, 2013 5:48 pm

The Fedora security team passed the following URL on to me, which describes an arbitrary command execution vulnerability. Unfortunately this is in the PHP portion of ZM and PHP is not a language I'm particularly good at, so I don't feel up to having a go at fixing it. I haven't been able to find any discussion here about this; they indicated that the ZM folks have been notified but I guess they used the contact form which wouldn't be public.

http://itsecuritysolutions.org/2013-01- ... erability/

The exploit requires that you be authenticated first so it's not a huge emergency, but if you provide zoneminder logins to someone you wouldn't trust with root on the underlying server then do be careful.

tibbs
Posts: 14
Joined: Tue Oct 02, 2007 7:22 pm

Re: Security issue

Postby tibbs » Tue Jan 29, 2013 4:50 pm

By the way, CVE-2013-0232 was assigned for this issue: https://access.redhat.com/security/cve/CVE-2013-0232

usersenior
Posts: 24
Joined: Tue Jul 10, 2012 8:34 pm

Re: Security issue

Postby usersenior » Fri Mar 15, 2013 5:13 pm

# HG changeset patch
# User James McCoy <jamessan@debian.org>
# Date 1360509613 18000
# Node ID 8ad5cdabf2d65cc2a382b86259b216623d0a6f48
# Parent b87e27c0fee8bf1437cd1806bbd52d58a67b1089
shell escape commands with untrusted content (CVE-2013-0232)

diff --git a/debian/patches/CVE-2013-0232 b/debian/patches/CVE-2013-0232
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2013-0232
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff --git a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
include-avutil-mathematics-header
Fix-FTBFS-with-gcc-4.7
do_not_check_for_updates_by_default
+CVE-2013-0232


Return to “ZoneMinder 1.25.x”

Who is online

Users browsing this forum: No registered users and 1 guest