Bug 460280 - (CVE-2008-3880) zoneminder: command injection, SQL injection and multiple XSS issues (CVE-2008-3882, CVE-2008-3880, CVE-2008-3881)
zoneminder: command injection, SQL injection and multiple XSS issues (CVE-200...
Status: CLOSED RAWHIDE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=bugtraq,reported=20080827,publ...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-27 07:01 EDT by Tomas Hoger
Modified: 2016-01-26 07:48 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-10 21:59:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-08-27 07:01:20 EDT
Filip Palian reported multiple security vulnerabilities in ZoneMinder:

  http://marc.info/?l=bugtraq&m=121976722628485&w=4

Filip's description of the flaws:

  I. Command Injection
  In the "zm_html_view_events.php" function executeFilter() doesn't validate
  user input.
  In the "zm_html_view_state.php" parameter "run_state" is not validated.

  II. SQL Injection
  In the "zm_html_view_event.php" array "filter" is not validated.

  III. XSS
  In the "zm_html_view_*.php" multiple XSS exists.

According to the reporter, there is not official upstream fix.  Restricting access to ZoneMinder web pages is recommended as a workaround.
Comment 1 Jason Tibbitts 2008-08-27 08:04:58 EDT
By default, the zoneminder package in Fedora ships with all access disabled and it is recommended (in the apache conf file that must be edited to enable access) that some sort of additional authentication be put in place.  If this issue isn't fixed in the short term, we can simply strengthen the notice to instruct users to keep access as restricted as possible.  Of course, this doesn't help users who already have the software running wide open.

I don't even see any mention of this issue on the upstream web site or in their fora.
Comment 2 Tomas Hoger 2008-09-02 12:52:21 EDT
Following CVEs were assigned to these issues:

CVE-2008-3880:
SQL injection vulnerability in zm_html_view_event.php in ZoneMinder
1.23.3 and earlier allows remote attackers to execute arbitrary SQL
commands via the filter array parameter.

CVE-2008-3881:
Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder
1.23.3 and earlier allow remote attackers to inject arbitrary web
script or HTML via unspecified parameters to unspecified
"zm_html_view_*.php" files.

CVE-2008-3882:
ZoneMinder 1.23.3 and earlier allows remote attackers to execute
arbitrary commands (aka "Command Injection") via (1) the executeFilter
function in zm_html_view_events.php and (2) the run_state parameter to
zm_html_view_state.php.
Comment 3 Jason Tibbitts 2008-09-02 13:24:13 EDT
I have had no luck at all in my attempts to receive a response, much less a fix, from upstream.
Comment 4 Martin Ebourne 2009-04-10 21:59:53 EDT
Rawhide has been upgraded to ZoneMinder 1.24.1. This claims to fix "All known security issues" based on the 1.24.0 release notes 2009/02/09.

There are no separate security patches available but as per Jason's comment we ship with access disabled and give recommendations to enable extra authentication, all of which protect against these vulnerabilities, so I'm not planning to make any further updates for F9/F10.

Note You need to log in before you can comment on or make changes to this bug.