Impact

Local File Inclusion vulnerability, all ZoneMinder installs < 1.36.33 are impacted

• In /web/index.php, there is a Local File Inclusion vulnerability:

if ( $action and $view and !$request ) {
if ( file_exists('includes/actions/'.$view.'.php') ) {
require_once('includes/actions/'.$view.'.php');
} else {
ZM\Warning("No includes/actions/$view.php for action $action");
}
}

By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath:

$view = isset($_REQUEST['view']) ? detaintPath($_REQUEST['view']) : null;

But dentaintPath is not properly sandboxing the path, but rather just replacing "../" with "" once: (/web/includes/functions.php)

function detaintPath($path) {
// Remove any absolute paths, or relative ones that want to go up
$path = str_replace('../', '', $path);
$path = ltrim($path, '/');
return $path;
}

This can be exploited by constructing paths like "..././", which get replaced by "../".

Patches

Fixed by 3268f95.
All users should apply patch manually or upgrade to 1.36.33 or 1.37.33 or greater.

Workarounds

Apply the patch manually.

Further credits

SamXML
Manfred Paul