View unanswered posts | View active topics It is currently Fri Oct 31, 2014 1:02 pm



Reply to topic  [ 3 posts ] 
Security issue 
Author Message

Joined: Tue Oct 02, 2007 8:22 pm
Posts: 14
Post Security issue
The Fedora security team passed the following URL on to me, which describes an arbitrary command execution vulnerability. Unfortunately this is in the PHP portion of ZM and PHP is not a language I'm particularly good at, so I don't feel up to having a go at fixing it. I haven't been able to find any discussion here about this; they indicated that the ZM folks have been notified but I guess they used the contact form which wouldn't be public.

http://itsecuritysolutions.org/2013-01- ... erability/

The exploit requires that you be authenticated first so it's not a huge emergency, but if you provide zoneminder logins to someone you wouldn't trust with root on the underlying server then do be careful.


Fri Jan 25, 2013 6:48 pm
Profile

Joined: Tue Oct 02, 2007 8:22 pm
Posts: 14
Post Re: Security issue
By the way, CVE-2013-0232 was assigned for this issue: https://access.redhat.com/security/cve/CVE-2013-0232


Tue Jan 29, 2013 5:50 pm
Profile

Joined: Tue Jul 10, 2012 9:34 pm
Posts: 24
Post Re: Security issue
# HG changeset patch
# User James McCoy <jamessan@debian.org>
# Date 1360509613 18000
# Node ID 8ad5cdabf2d65cc2a382b86259b216623d0a6f48
# Parent b87e27c0fee8bf1437cd1806bbd52d58a67b1089
shell escape commands with untrusted content (CVE-2013-0232)

diff --git a/debian/patches/CVE-2013-0232 b/debian/patches/CVE-2013-0232
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2013-0232
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff --git a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
include-avutil-mathematics-header
Fix-FTBFS-with-gcc-4.7
do_not_check_for_updates_by_default
+CVE-2013-0232


Fri Mar 15, 2013 6:13 pm
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 3 posts ] 

Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group