Filip Palian reported multiple security vulnerabilities in ZoneMinder: http://marc.info/?l=bugtraq&m=121976722628485&w=4 Filip's description of the flaws: I. Command Injection In the "zm_html_view_events.php" function executeFilter() doesn't validate user input. In the "zm_html_view_state.php" parameter "run_state" is not validated. II. SQL Injection In the "zm_html_view_event.php" array "filter" is not validated. III. XSS In the "zm_html_view_*.php" multiple XSS exists. According to the reporter, there is not official upstream fix. Restricting access to ZoneMinder web pages is recommended as a workaround.
By default, the zoneminder package in Fedora ships with all access disabled and it is recommended (in the apache conf file that must be edited to enable access) that some sort of additional authentication be put in place. If this issue isn't fixed in the short term, we can simply strengthen the notice to instruct users to keep access as restricted as possible. Of course, this doesn't help users who already have the software running wide open. I don't even see any mention of this issue on the upstream web site or in their fora.
Following CVEs were assigned to these issues: CVE-2008-3880: SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter. CVE-2008-3881: Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to unspecified "zm_html_view_*.php" files. CVE-2008-3882: ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary commands (aka "Command Injection") via (1) the executeFilter function in zm_html_view_events.php and (2) the run_state parameter to zm_html_view_state.php.
I have had no luck at all in my attempts to receive a response, much less a fix, from upstream.
Rawhide has been upgraded to ZoneMinder 1.24.1. This claims to fix "All known security issues" based on the 1.24.0 release notes 2009/02/09. There are no separate security patches available but as per Jason's comment we ship with access disabled and give recommendations to enable extra authentication, all of which protect against these vulnerabilities, so I'm not planning to make any further updates for F9/F10.