ZoneMinder Forums

ZoneMinder Forums
https://forums.zoneminder.com/

Security issue

https://forums.zoneminder.com/viewtopic.php?t=20771

Page 1 of 1

Security issue

Posted: Fri Jan 25, 2013 5:48 pm
by tibbs
The Fedora security team passed the following URL on to me, which describes an arbitrary command execution vulnerability. Unfortunately this is in the PHP portion of ZM and PHP is not a language I'm particularly good at, so I don't feel up to having a go at fixing it. I haven't been able to find any discussion here about this; they indicated that the ZM folks have been notified but I guess they used the contact form which wouldn't be public.

http://itsecuritysolutions.org/2013-01- ... erability/

The exploit requires that you be authenticated first so it's not a huge emergency, but if you provide zoneminder logins to someone you wouldn't trust with root on the underlying server then do be careful.

Re: Security issue

Posted: Tue Jan 29, 2013 4:50 pm
by tibbs
By the way, CVE-2013-0232 was assigned for this issue: https://access.redhat.com/security/cve/CVE-2013-0232

Re: Security issue

Posted: Fri Mar 15, 2013 5:13 pm
by usersenior
# HG changeset patch
# User James McCoy <jamessan@debian.org>
# Date 1360509613 18000
# Node ID 8ad5cdabf2d65cc2a382b86259b216623d0a6f48
# Parent b87e27c0fee8bf1437cd1806bbd52d58a67b1089
shell escape commands with untrusted content (CVE-2013-0232)

diff --git a/debian/patches/CVE-2013-0232 b/debian/patches/CVE-2013-0232
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2013-0232
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff --git a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
include-avutil-mathematics-header
Fix-FTBFS-with-gcc-4.7
do_not_check_for_updates_by_default
+CVE-2013-0232
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited