An issue has been reported which could result in authenticated users being able to examine arbitrary files on your system. This has been fixed in 1.25.0 and I have created a patch to allow the fix to be applied to previous versions.
The patch is available from here and I urge users to apply the patch as soon as possible. It only patches PHP files so can be applied directly to package installs as well as source builds.
To apply the patch go to the top level of your ZoneMinder source directory and type the following.
patch -p0 < /path/to/downloaded/lfi-patch.txt
You should then see output something like
patching file web/includes/functions.php Hunk #1 succeeded at 2314 (offset -36 lines). Hunk #2 succeeded at 2341 (offset -36 lines). patching file web/index.php Hunk #1 succeeded at 96 (offset -1 lines). Hunk #2 succeeded at 111 with fuzz 1 (offset -1 lines).
which will indicate success. If you are patching installed systems rather than source you can run the patch from the installed ZM web directory and change -p0 to -p1.
Please note that the issue that this patch addresses applies to authenticated users on systems with authentication enabled, or for any users on systems which do not require authentication. Not all systems appear to exhibit the problem even in these circumstances, possibly due to different PHP configuration, but I recommend applying the patch on all systems anyway. Please note that the version of 1.24.4 available for download as from today (28/7) has been updated with this patch.
IMPORTANT - Security Patch for ZM 1.24.x - UPDATED
A further case has arisen which the original patch did not address. That patch has been updated so if you have not applied it already then please download it and do so. If you have already applied it then please also apply an additional patch from here.
The currently available versions of 1.24.4 and 1.25.0 as of 13:00 UTC today (3rd August 2011) already contain the fix.
Users browsing this forum: No registered users and 1 guest
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum