ZoneMinder Forums

ZoneMinder Forums
https://forums.zoneminder.com/

New security issue?

https://forums.zoneminder.com/viewtopic.php?t=12184

Page 1 of 1

New security issue?

Posted: Wed Aug 27, 2008 8:45 pm
by tibbs
I searched around this forum but I haven't seen any mention of the security issues disclosed on bugtraq yesterday:

http://marc.info/?l=bugtraq&m=121976722628485&w=4

I happen to not agree with the "critical" severity as I believe the issues are only exploitable by authenticated users, which is far less exposure than something exposed to anyone on the 'net. But they certainly need fixing.

I haven't started looking in the code yet, but my PHP isn't the best so I doubt I can be very useful. Is any progress being made on this?

CVEs have been assigned

Posted: Tue Sep 02, 2008 5:18 pm
by tibbs
I'm dismayed that there's no response to this. I note that four CVEs have been assigned to these issues:

CVE-2008-3880:
SQL injection vulnerability in zm_html_view_event.php in ZoneMinder
1.23.3 and earlier allows remote attackers to execute arbitrary SQL
commands via the filter array parameter.

CVE-2008-3881:
Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder
1.23.3 and earlier allow remote attackers to inject arbitrary web
script or HTML via unspecified parameters to unspecified
"zm_html_view_*.php" files.

CVE-2008-3882:
ZoneMinder 1.23.3 and earlier allows remote attackers to execute
arbitrary commands (aka "Command Injection") via (1) the executeFilter
function in zm_html_view_events.php and (2) the run_state parameter to
zm_html_view_state.php.

Posted: Tue Sep 02, 2008 6:06 pm
by coke
You're right, Tibbs, that blows, but I don't have the time to learn how to fix them, or the money to pay Phil et al to quit their real jobs and fix bugs immediately. Do you?

Posted: Tue Sep 02, 2008 8:17 pm
by cordel
Fixes have been already made in 1.24.x If you have authentication turned on you are not susceptible unless someone trying these has a login.

[edit] Just so no one gets confused, at this time 1.24.0 is still in development.

Posted: Tue Sep 02, 2008 8:41 pm
by coke
Did I miss the 1.24.x release notice?

Posted: Tue Sep 02, 2008 8:49 pm
by curtishall
coke wrote:Did I miss the 1.24.x release notice?
No. 1.24 hasn't been released to the public yet.

Posted: Tue Sep 02, 2008 9:19 pm
by cordel
curtishall wrote:
coke wrote:Did I miss the 1.24.x release notice?
No. 1.24 hasn't been released to the public yet and is currently in RC status.
Actually we are working towards RC status, It's not there yet sorry should have articulated more, but the issues will be covered when it releases.
Phil has completely redone the web interface.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited