Zoneminder has a vulnerability!

Forum for questions and support relating to the 1.28.x releases only.
Forum rules
Locked
User avatar
biologisch
Posts: 96
Joined: Fri Aug 24, 2007 10:37 am

Zoneminder has a vulnerability!

Post by biologisch »

With activated authentication there is a vulnerability that allows to inspect cam records of other users.

Example: User1 is associated to Monitor2 and User2 to Monitor2.
You can see after logging in as User1 the own camera and all stored images.
(http://localhost/zm/index.php?view=watch&mid=1)

Now change as logged in User1 the browser url mid=1 to mid=2
(http://localhost/zm/index.php?view=watch&mid=2)

User1 can now see all stored pictures of User2. (not live cam)

How to fix? :shock:

Greetings,
biologisch
ZM Versions = 1.36.33
zmeventnotification Version = "6.1.28"
Top
User avatar
biologisch
Posts: 96
Joined: Fri Aug 24, 2007 10:37 am

Re: Zoneminder has a vulnerability!

Post by biologisch »

Here a screenshot from the vulnerability:

Image
ZM Versions = 1.36.33
zmeventnotification Version = "6.1.28"
Top
User avatar
iconnor
Posts: 3332
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:
Contact iconnor

Re: Zoneminder has a vulnerability!

Post by iconnor »

Thanks for the report!

We have fixed this in our master dev branch. We will be releasing 1.28.1 soon with this fix.
Top
User avatar
biologisch
Posts: 96
Joined: Fri Aug 24, 2007 10:37 am

Re: Zoneminder has a vulnerability!

Post by biologisch »

Thanks for the first answer after more than 6 month!
ZM Versions = 1.36.33
zmeventnotification Version = "6.1.28"
Top
Locked

Return to “ZoneMinder 1.28.x”