ZM Vulnerability

[apbb2]

Has anyone seen this:

http://www.securityfocus.com/bid/96120/info

Any thing end users can do to mitigate?

[alabamatoy]

This is bad. More info: http://seclists.org/bugtraq/2017/Feb/6

[bbunge]

This is bad. More info: http://seclists.org/bugtraq/2017/Feb/6

My router reported this site as malicious.

More harmful than Zoneminder, at least.

bb

[bbunge]

Looks like this has been fixed in 1.30.2. At least my test machine will not let me browse http://ipaddr/zm/events

[bbunge]

Here is a "fix" to block the directory browsing. I must admit it is partly my fault..

For Ubuntu
Undo my "Fix to allow API to work" (back to the original configuration)

nano /etc/apache2/apache2.conf

Change All to None in two places as shown below

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Edit zoneminder.conf

nano /etc/apache2/conf-available/zoneminder.conf

Add a - before Indexes and a + before FollowSymLinks

<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks

Make sure the following is at the bottom of the file

<Directory /usr/share/zoneminder/www/api>
AllowOverride All
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Restart Apache

service apache2 reload

http://ip-addr/zm/events should now give you a Forbidden 403 error

[alexo]

Same is valid for 1.29 as I posted here -> viewtopic.php?f=34&t=25784

[bbunge]

Same is valid for 1.29 as I posted here -> viewtopic.php?f=34&t=25784

Yes, I know. The fix will be the same. Just did not have the time to do all that yesterday.

[alabamatoy]

My router reported this site as malicious.

More harmful than Zoneminder, at least.

bb

Seclists is only bad because it lists things like router vulnerabilities, that your router manufacturer probably doesn't want you to see.