Security issue

Forum for questions and support relating to the 1.25.x releases only.
Locked
tibbs
Posts: 14
Joined: Tue Oct 02, 2007 7:22 pm

Security issue

Post by tibbs »

The Fedora security team passed the following URL on to me, which describes an arbitrary command execution vulnerability. Unfortunately this is in the PHP portion of ZM and PHP is not a language I'm particularly good at, so I don't feel up to having a go at fixing it. I haven't been able to find any discussion here about this; they indicated that the ZM folks have been notified but I guess they used the contact form which wouldn't be public.

http://itsecuritysolutions.org/2013-01- ... erability/

The exploit requires that you be authenticated first so it's not a huge emergency, but if you provide zoneminder logins to someone you wouldn't trust with root on the underlying server then do be careful.
tibbs
Posts: 14
Joined: Tue Oct 02, 2007 7:22 pm

Re: Security issue

Post by tibbs »

By the way, CVE-2013-0232 was assigned for this issue: https://access.redhat.com/security/cve/CVE-2013-0232
usersenior
Posts: 24
Joined: Tue Jul 10, 2012 8:34 pm

Re: Security issue

Post by usersenior »

# HG changeset patch
# User James McCoy <jamessan@debian.org>
# Date 1360509613 18000
# Node ID 8ad5cdabf2d65cc2a382b86259b216623d0a6f48
# Parent b87e27c0fee8bf1437cd1806bbd52d58a67b1089
shell escape commands with untrusted content (CVE-2013-0232)

diff --git a/debian/patches/CVE-2013-0232 b/debian/patches/CVE-2013-0232
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2013-0232
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff --git a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
include-avutil-mathematics-header
Fix-FTBFS-with-gcc-4.7
do_not_check_for_updates_by_default
+CVE-2013-0232
Locked