Red Hat Bugzilla – Bug 460280
zoneminder: command injection, SQL injection and multiple XSS issues (CVE-2008-3882, CVE-2008-3880, CVE-2008-3881)
Last modified: 2016-01-26 07:48:27 EST
Filip Palian reported multiple security vulnerabilities in ZoneMinder:
Filip's description of the flaws:
I. Command Injection
In the "zm_html_view_events.php" function executeFilter() doesn't validate
In the "zm_html_view_state.php" parameter "run_state" is not validated.
II. SQL Injection
In the "zm_html_view_event.php" array "filter" is not validated.
In the "zm_html_view_*.php" multiple XSS exists.
According to the reporter, there is not official upstream fix. Restricting access to ZoneMinder web pages is recommended as a workaround.
By default, the zoneminder package in Fedora ships with all access disabled and it is recommended (in the apache conf file that must be edited to enable access) that some sort of additional authentication be put in place. If this issue isn't fixed in the short term, we can simply strengthen the notice to instruct users to keep access as restricted as possible. Of course, this doesn't help users who already have the software running wide open.
I don't even see any mention of this issue on the upstream web site or in their fora.
Following CVEs were assigned to these issues:
SQL injection vulnerability in zm_html_view_event.php in ZoneMinder
1.23.3 and earlier allows remote attackers to execute arbitrary SQL
commands via the filter array parameter.
Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder
1.23.3 and earlier allow remote attackers to inject arbitrary web
script or HTML via unspecified parameters to unspecified
ZoneMinder 1.23.3 and earlier allows remote attackers to execute
arbitrary commands (aka "Command Injection") via (1) the executeFilter
function in zm_html_view_events.php and (2) the run_state parameter to
I have had no luck at all in my attempts to receive a response, much less a fix, from upstream.
Rawhide has been upgraded to ZoneMinder 1.24.1. This claims to fix "All known security issues" based on the 1.24.0 release notes 2009/02/09.
There are no separate security patches available but as per Jason's comment we ship with access disabled and give recommendations to enable extra authentication, all of which protect against these vulnerabilities, so I'm not planning to make any further updates for F9/F10.