File disclosure and inclusion vulnerability exists in ZoneMinder due to unfiltered user-input being passed to readfile() in views/file.php which allows an authenticated attacker to read local system files (e.g. /etc/passwd) in the context of the web server user (www-data). References: http://seclists.org/bugtraq/2017/Feb/6 Upstream patch: https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3
Created zoneminder tracking bugs for this issue: Affects: fedora-all [bug 1419509]
Strange, the link above does not contain all three commits which make up this fix. Please use this link instead: https://patch-diff.githubusercontent.com/raw/ZoneMinder/ZoneMinder/pull/1758.patch I don't anticipate any issues backporting this patch to the zoneminder packages currently in the fedora repos, but if there are I can assist Chuck to make it happen.