The Fedora security team passed the following URL on to me, which describes an arbitrary command execution vulnerability. Unfortunately this is in the PHP portion of ZM and PHP is not a language I'm particularly good at, so I don't feel up to having a go at fixing it. I haven't been able to find any discussion here about this; they indicated that the ZM folks have been notified but I guess they used the contact form which wouldn't be public.
http://itsecuritysolutions.org/2013-01- ... erability/
The exploit requires that you be authenticated first so it's not a huge emergency, but if you provide zoneminder logins to someone you wouldn't trust with root on the underlying server then do be careful.
Security issue
Re: Security issue
By the way, CVE-2013-0232 was assigned for this issue: https://access.redhat.com/security/cve/CVE-2013-0232
-
- Posts: 24
- Joined: Tue Jul 10, 2012 8:34 pm
Re: Security issue
# HG changeset patch
# User James McCoy <jamessan@debian.org>
# Date 1360509613 18000
# Node ID 8ad5cdabf2d65cc2a382b86259b216623d0a6f48
# Parent b87e27c0fee8bf1437cd1806bbd52d58a67b1089
shell escape commands with untrusted content (CVE-2013-0232)
diff --git a/debian/patches/CVE-2013-0232 b/debian/patches/CVE-2013-0232
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2013-0232
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff --git a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
include-avutil-mathematics-header
Fix-FTBFS-with-gcc-4.7
do_not_check_for_updates_by_default
+CVE-2013-0232
# User James McCoy <jamessan@debian.org>
# Date 1360509613 18000
# Node ID 8ad5cdabf2d65cc2a382b86259b216623d0a6f48
# Parent b87e27c0fee8bf1437cd1806bbd52d58a67b1089
shell escape commands with untrusted content (CVE-2013-0232)
diff --git a/debian/patches/CVE-2013-0232 b/debian/patches/CVE-2013-0232
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2013-0232
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff --git a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
include-avutil-mathematics-header
Fix-FTBFS-with-gcc-4.7
do_not_check_for_updates_by_default
+CVE-2013-0232