IMPORTANT - Security Patch for ZM 1.24.x

[zoneminder]

An issue has been reported which could result in authenticated users being able to examine arbitrary files on your system. This has been fixed in 1.25.0 and I have created a patch to allow the fix to be applied to previous versions.

The patch is available from here and I urge users to apply the patch as soon as possible. It only patches PHP files so can be applied directly to package installs as well as source builds.

To apply the patch go to the top level of your ZoneMinder source directory and type the following.

Code: Select all

patch -p0 < /path/to/downloaded/lfi-patch.txt

You should then see output something like

Code: Select all

patching file web/includes/functions.php
Hunk #1 succeeded at 2314 (offset -36 lines).
Hunk #2 succeeded at 2341 (offset -36 lines).
patching file web/index.php
Hunk #1 succeeded at 96 (offset -1 lines).
Hunk #2 succeeded at 111 with fuzz 1 (offset -1 lines).

which will indicate success. If you are patching installed systems rather than source you can run the patch from the installed ZM web directory and change -p0 to -p1.

Please note that the issue that this patch addresses applies to authenticated users on systems with authentication enabled, or for any users on systems which do not require authentication. Not all systems appear to exhibit the problem even in these circumstances, possibly due to different PHP configuration, but I recommend applying the patch on all systems anyway. Please note that the version of 1.24.4 available for download as from today (28/7) has been updated with this patch.

[zoneminder]

A further case has arisen which the original patch did not address. That patch has been updated so if you have not applied it already then please download it and do so. If you have already applied it then please also apply an additional patch from here.

The currently available versions of 1.24.4 and 1.25.0 as of 13:00 UTC today (3rd August 2011) already contain the fix.