ZM Vulnerability

Forum for questions and support relating to the 1.30.x releases only.
Locked
apbb2
Posts: 31
Joined: Sun Jun 08, 2008 4:02 pm

ZM Vulnerability

Post by apbb2 »

Has anyone seen this:

http://www.securityfocus.com/bid/96120/info

Any thing end users can do to mitigate?
alabamatoy
Posts: 349
Joined: Sun Jun 05, 2016 2:53 pm

Re: ZM Vulnerability

Post by alabamatoy »

bbunge
Posts: 2923
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: ZM Vulnerability

Post by bbunge »

alabamatoy wrote:This is bad. More info: http://seclists.org/bugtraq/2017/Feb/6
My router reported this site as malicious.

More harmful than Zoneminder, at least.

bb
bbunge
Posts: 2923
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: ZM Vulnerability

Post by bbunge »

Looks like this has been fixed in 1.30.2. At least my test machine will not let me browse http://ipaddr/zm/events
bbunge
Posts: 2923
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: ZM Vulnerability

Post by bbunge »

Here is a "fix" to block the directory browsing. I must admit it is partly my fault..

For Ubuntu
Undo my "Fix to allow API to work" (back to the original configuration)

nano /etc/apache2/apache2.conf

Change All to None in two places as shown below

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Edit zoneminder.conf

nano /etc/apache2/conf-available/zoneminder.conf

Add a - before Indexes and a + before FollowSymLinks

<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks

Make sure the following is at the bottom of the file

<Directory /usr/share/zoneminder/www/api>
AllowOverride All
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Restart Apache

service apache2 reload

http://ip-addr/zm/events should now give you a Forbidden 403 error
alexo
Posts: 6
Joined: Wed Feb 01, 2017 8:36 am
Location: Europe

Re: ZM Vulnerability

Post by alexo »

Same is valid for 1.29 as I posted here -> viewtopic.php?f=34&t=25784
bbunge
Posts: 2923
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: ZM Vulnerability

Post by bbunge »

alexo wrote:Same is valid for 1.29 as I posted here -> viewtopic.php?f=34&t=25784
Yes, I know. The fix will be the same. Just did not have the time to do all that yesterday.
alabamatoy
Posts: 349
Joined: Sun Jun 05, 2016 2:53 pm

Re: ZM Vulnerability

Post by alabamatoy »

bbunge wrote:
My router reported this site as malicious.

More harmful than Zoneminder, at least.

bb
Seclists is only bad because it lists things like router vulnerabilities, that your router manufacturer probably doesn't want you to see. :-)
Locked