Bug 460280 (CVE-2008-3880)
Summary: | zoneminder: command injection, SQL injection and multiple XSS issues (CVE-2008-3882, CVE-2008-3880, CVE-2008-3881) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fedora, jrusnack, j |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-04-11 01:59:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hoger
2008-08-27 11:01:20 UTC
By default, the zoneminder package in Fedora ships with all access disabled and it is recommended (in the apache conf file that must be edited to enable access) that some sort of additional authentication be put in place. If this issue isn't fixed in the short term, we can simply strengthen the notice to instruct users to keep access as restricted as possible. Of course, this doesn't help users who already have the software running wide open. I don't even see any mention of this issue on the upstream web site or in their fora. Following CVEs were assigned to these issues: CVE-2008-3880: SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter. CVE-2008-3881: Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to unspecified "zm_html_view_*.php" files. CVE-2008-3882: ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary commands (aka "Command Injection") via (1) the executeFilter function in zm_html_view_events.php and (2) the run_state parameter to zm_html_view_state.php. I have had no luck at all in my attempts to receive a response, much less a fix, from upstream. Rawhide has been upgraded to ZoneMinder 1.24.1. This claims to fix "All known security issues" based on the 1.24.0 release notes 2009/02/09. There are no separate security patches available but as per Jason's comment we ship with access disabled and give recommendations to enable extra authentication, all of which protect against these vulnerabilities, so I'm not planning to make any further updates for F9/F10. |