File disclosure and inclusion vulnerability exists in ZoneMinder due to unfiltered user-input being passed to readfile() in views/file.php which allows an authenticated attacker to read local system files (e.g. /etc/passwd) in the context of the web server user (www-data).
Created zoneminder tracking bugs for this issue:
Affects: fedora-all [bug 1419509]
Strange, the link above does not contain all three commits which make up this fix.
Please use this link instead:
I don't anticipate any issues backporting this patch to the zoneminder packages currently in the fedora repos, but if there are I can assist Chuck to make it happen.