View unanswered posts | View active topics It is currently Sat Jul 26, 2014 4:05 am



Reply to topic  [ 2 posts ] 
IMPORTANT - Security Patch for ZM 1.24.x 
Author Message
Site Admin
User avatar

Joined: Wed Jul 09, 2003 3:07 pm
Posts: 5221
Location: Bristol, UK
Post IMPORTANT - Security Patch for ZM 1.24.x
An issue has been reported which could result in authenticated users being able to examine arbitrary files on your system. This has been fixed in 1.25.0 and I have created a patch to allow the fix to be applied to previous versions.

The patch is available from here and I urge users to apply the patch as soon as possible. It only patches PHP files so can be applied directly to package installs as well as source builds.

To apply the patch go to the top level of your ZoneMinder source directory and type the following.
Code:
patch -p0 < /path/to/downloaded/lfi-patch.txt
You should then see output something like
Code:
patching file web/includes/functions.php
Hunk #1 succeeded at 2314 (offset -36 lines).
Hunk #2 succeeded at 2341 (offset -36 lines).
patching file web/index.php
Hunk #1 succeeded at 96 (offset -1 lines).
Hunk #2 succeeded at 111 with fuzz 1 (offset -1 lines).
which will indicate success. If you are patching installed systems rather than source you can run the patch from the installed ZM web directory and change -p0 to -p1.

Please note that the issue that this patch addresses applies to authenticated users on systems with authentication enabled, or for any users on systems which do not require authentication. Not all systems appear to exhibit the problem even in these circumstances, possibly due to different PHP configuration, but I recommend applying the patch on all systems anyway. Please note that the version of 1.24.4 available for download as from today (28/7) has been updated with this patch.

_________________
Phil


Thu Jul 28, 2011 11:37 am
Profile ICQ YIM WWW
Site Admin
User avatar

Joined: Wed Jul 09, 2003 3:07 pm
Posts: 5221
Location: Bristol, UK
Post IMPORTANT - Security Patch for ZM 1.24.x - UPDATED
A further case has arisen which the original patch did not address. That patch has been updated so if you have not applied it already then please download it and do so. If you have already applied it then please also apply an additional patch from here.

The currently available versions of 1.24.4 and 1.25.0 as of 13:00 UTC today (3rd August 2011) already contain the fix.

_________________
Phil


Wed Aug 03, 2011 1:51 pm
Profile ICQ YIM WWW
Display posts from previous:  Sort by  
Reply to topic   [ 2 posts ] 

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group