Bug 460280 (CVE-2008-3880)

Summary: zoneminder: command injection, SQL injection and multiple XSS issues (CVE-2008-3882, CVE-2008-3880, CVE-2008-3881)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jrusnack, j
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-11 01:59:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-08-27 11:01:20 UTC 
Filip Palian reported multiple security vulnerabilities in ZoneMinder:

  http://marc.info/?l=bugtraq&m=121976722628485&w=4

Filip's description of the flaws:

  I. Command Injection
  In the "zm_html_view_events.php" function executeFilter() doesn't validate
  user input.
  In the "zm_html_view_state.php" parameter "run_state" is not validated.

  II. SQL Injection
  In the "zm_html_view_event.php" array "filter" is not validated.

  III. XSS
  In the "zm_html_view_*.php" multiple XSS exists.

According to the reporter, there is not official upstream fix.  Restricting access to ZoneMinder web pages is recommended as a workaround.
Comment 1 Jason Tibbitts 2008-08-27 12:04:58 UTC 
By default, the zoneminder package in Fedora ships with all access disabled and it is recommended (in the apache conf file that must be edited to enable access) that some sort of additional authentication be put in place.  If this issue isn't fixed in the short term, we can simply strengthen the notice to instruct users to keep access as restricted as possible.  Of course, this doesn't help users who already have the software running wide open.

I don't even see any mention of this issue on the upstream web site or in their fora.
Comment 2 Tomas Hoger 2008-09-02 16:52:21 UTC 
Following CVEs were assigned to these issues:

CVE-2008-3880:
SQL injection vulnerability in zm_html_view_event.php in ZoneMinder
1.23.3 and earlier allows remote attackers to execute arbitrary SQL
commands via the filter array parameter.

CVE-2008-3881:
Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder
1.23.3 and earlier allow remote attackers to inject arbitrary web
script or HTML via unspecified parameters to unspecified
"zm_html_view_*.php" files.

CVE-2008-3882:
ZoneMinder 1.23.3 and earlier allows remote attackers to execute
arbitrary commands (aka "Command Injection") via (1) the executeFilter
function in zm_html_view_events.php and (2) the run_state parameter to
zm_html_view_state.php.
Comment 3 Jason Tibbitts 2008-09-02 17:24:13 UTC 
I have had no luck at all in my attempts to receive a response, much less a fix, from upstream.
Comment 4 Martin Ebourne 2009-04-11 01:59:53 UTC 
Rawhide has been upgraded to ZoneMinder 1.24.1. This claims to fix "All known security issues" based on the 1.24.0 release notes 2009/02/09.

There are no separate security patches available but as per Jason's comment we ship with access disabled and give recommendations to enable extra authentication, all of which protect against these vulnerabilities, so I'm not planning to make any further updates for F9/F10.