ZoneMinder Forums

# Changes since 1.36.32

- Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
- Add object-src CSP directive to help prevent XSS
- db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
- use detaintPath on modal to prevent including other files instead of real modals
- Check for valid date in minTime and maxTime to prevent SQL attack
- Introduce check_datetime function to validate dates
- Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
- Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
- Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
- test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
- Move actions process to after the unauth check to prevent actions happening when unathentication
- Fix detaintPath not stripping sequences like ..././
- Escape <> in log messages to prevent html shenanigans. Fixes #3596
- Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
- Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes 3510
- Use reload instead of restart on zone save
- Add reload to monitor zmcControl
- Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes 3643
- Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
- Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
- fix format endtime on events list on watch view
- Include command line in debug output when generating images
- Fix missing/corrupted pre-alarm frames in recording. Fixes 3656
- Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes 3657
- Allow viewing of events whose Monitor[Function]=None
- Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes 3655
- Apply chosen styles to dropdowns in Options, allowing text search
- Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
- fixes for freebsd
- Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
- Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes 3488
- Add 2>&1 to command to delete event dir so that we get error messages logged.
- Move code from Event to Storage to implement delete_path()
- Use ajax() instead of getJSON with no timeout when deleting events.
- Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
- Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
- Improve info when moving event to show source and Dest paths
- Remove dead code from report_event_audit.js
- Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
- Add styles to table headers to left align them to match the body

# Vulnerabilities address by this release
https://github.com/ZoneMinder/zoneminde ... -6jjc-cgmw CVE-2023-26036
https://github.com/ZoneMinder/zoneminde ... -q9mw-mwx9 CVE-2023-26032
https://github.com/ZoneMinder/zoneminde ... -2hj3-3733 CVE-2023-26037
https://github.com/ZoneMinder/zoneminde ... -h2pw-cc9g CVE-2023-26039
https://github.com/ZoneMinder/zoneminde ... -r8c4-r24w CVE-2023-2603
https://github.com/ZoneMinder/zoneminde ... -h4vf-29gr CVE-2023-26035
https://github.com/ZoneMinder/zoneminde ... -wh8m-xjrx CVE-2023-26034
https://github.com/ZoneMinder/zoneminde ... -g4qm-jr6v CVE-2023-25825

The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/

Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.

All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.

https://github.com/ZoneMinder/zoneminde ... es/1.36.33
**Full Changelog**: https://github.com/ZoneMinder/zoneminde ... ...1.36.33

great job! thanks

Sounds like I need to get this applied. No sign of it on Ubuntu Focal as yet.

Crap.. something went wrong with pushing to ppa. This is actually a big problem. Sigh. And there I thought everything was going so well.

ppa is up to date. Everybody upgrade!

Thanks for the quick response. Upgrade completed.

And there I thought everything was going so well.

You should know by now not to let that thought cross your mind...

Had 1 bug installing this coming back here and giving it another shot.

I had no images on the stream watching it in the web montage.

I found that until I set the path on focal to the following it didnt work because it couldnt find it until I changed it twice. Ultimately to:

# ZoneMinder url path to the zms streaming server
ZM_PATH_ZMS=/zm/cgi-bin/zms

Apparently if I leave it the original value then it cant find it. If I leave the nph-zms I am not authorized to view the page unless I change:
Options -MultiViews +SymLinksIfOwnerMatch +ExecCGI
To:
Options -MultiViews +FollowSymLinks +ExecCGI

So just to keep it whatever more secure the first one makes it I removed the nph- from the path variable and now set like this it works fine.

Hopefully things stay well and now that I got this all figured out I can plan a time to do a donation to help with this program.

Upgraded yesterday to 1.36.33 and noticed that this version won't anymore remember earlier selected option for displayed rows per page on events listing. If I choose option to display "all" next time arrive to list page it has changed selection to smallest option "10".

I'm running Debian old-stable (buster). I have zoneminder/buster 1.36.32-buster1 amd64 installed. I can't upgrade to 1.36.33-buster1 amd64. Details in post: viewtopic.php?t=32439

JariR wrote: ↑Wed Mar 01, 2023 6:28 am Upgraded yesterday to 1.36.33 and noticed that this version won't anymore remember earlier selected option for displayed rows per page on events listing. If I choose option to display "all" next time arrive to list page it has changed selection to smallest option "10".

I'm seeing that as well. I've also noticed that when viewing the last 20 events, the scale always changes back to auto instead of what you change it to.

JariR wrote: ↑Wed Mar 01, 2023 6:28 am Upgraded yesterday to 1.36.33 and noticed that this version won't anymore remember earlier selected option for displayed rows per page on events listing. If I choose option to display "all" next time arrive to list page it has changed selection to smallest option "10".

same for me

I've been chasing this issue and also I'm noticing the same thing, all of the column settings and row number selections are getting lost.

See https://github.com/ZoneMinder/zoneminder/issues/3510 and
https://github.com/ZoneMinder/zoneminde ... e92246c5f9

hi Isaac,

the code change suggested at https://github.com/ZoneMinder/zoneminde ... e92246c5f9 is already implemented in my /usr/share/zoneminder/www/skins/classic/views/events.php

Anyway, it is not an important issue.
thanks