ZoneMinder Multiple Vulnerabilities
by Filip Palian <filip (dot) palian (at) pjwstk (dot) edu (dot) pl>
Software affected: ZoneMinder <= 1.23.3
Description (from the vendor site):
ZoneMinder is an integrated set of applications which provide a complete surveillance solution
allowing capture, analysis, recording and monitoring of any CCTV or security cameras attached to a
Linux based machine.
ZoneMinder is prone to Command Injection, SQL Injcetion and XSS. All attacks are possible because of
lack of user input sanitizing.
I. Command Injection
In the "zm_html_view_events.php" function executeFilter() doesn't validate user input.
In the "zm_html_view_state.php" parameter "run_state" is not validated.
II. SQL Injcetion
In the "zm_html_view_event.php" array "filter" is not validated.
In the "zm_html_view_*.php" multiple XSS exists.
At the moment no fixes were provided by the vendor. As a workaround restricted access to
authenticated users only and granting the lowest privileges is suggested.
18 VI 2008 Vulerability sent to the vendor.
18 VI 2008 Initial vendor response.
26 VIII 2008 Security bulletin released.