Package: zoneminder Version: 1.24.2-8 Severity: grave Tags: security patch Justification: user security hole Control: fixed -1 1.25.0-1
Hi In zoneminder forum there is the following security patch announce: http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979 1.24.2-8 is affected by this file inclusion vulnerability. Attached are the patches from svn, r3483 and r3488. Note: upstream 1.25.0 has a sligthly modified detaint function: function detaintPath( $path ) { // Remove any absolute paths, or relative ones that want to go up $path = preg_replace( '/\.(?:\.+[\\/][\\/]*)+/', '', $path ); $path = preg_replace( '/^[\\/]+/', '', $path ); return( $path ); } Regards Salvatore
Index: web/includes/functions.php =================================================================== --- web/includes/functions.php (revision 3482) +++ web/includes/functions.php (revision 3483) @@ -2350,13 +2350,21 @@ return( rand( 1, 999999 ) ); } +function detaintPath( $path ) +{ + // Remove any absolute paths, or relative ones that want to go up + $path = preg_replace( '/\.\.\//', '', $path ); + $path = preg_replace( '/^\//', '', $path ); + return( $path ); +} + function getSkinFile( $file ) { global $skinBase; $skinFile = false; foreach ( $skinBase as $skin ) { - $tempSkinFile = 'skins'.'/'.$skin.'/'.$file; + $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); if ( file_exists( $tempSkinFile ) ) $skinFile = $tempSkinFile; } @@ -2369,7 +2377,7 @@ $skinFile = false; foreach ( $skinBase as $skin ) { - $tempSkinFile = 'skins'.'/'.$skin.'/'.$file; + $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); if ( file_exists( $tempSkinFile ) ) $skinFile = $tempSkinFile; } Index: web/index.php =================================================================== --- web/index.php (revision 3482) +++ web/index.php (revision 3483) @@ -97,10 +97,13 @@ require_once( 'includes/functions.php' ); if ( isset($_REQUEST['view']) ) - $view = validHtmlStr($_REQUEST['view']); + $view = detaintPath($_REQUEST['view']); +if ( isset($_REQUEST['request']) ) + $request = detaintPath($_REQUEST['request']); + if ( isset($_REQUEST['action']) ) - $action = validHtmlStr($_REQUEST['action']); + $action = detaintPath($_REQUEST['action']); require_once( 'includes/actions.php' ); @@ -109,13 +112,10 @@ if ( isset( $_REQUEST['request'] ) ) { - $request = validHtmlStr($_REQUEST['request']); foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile ) { if ( !file_exists( $includeFile ) ) - { Fatal( "Request '$request' does not exist" ); - } require_once $includeFile; } return; @@ -127,9 +127,7 @@ foreach ( $includeFiles as $includeFile ) { if ( !file_exists( $includeFile ) ) - { Fatal( "View '$view' does not exist" ); - } require_once $includeFile; } }
Index: web/includes/functions.php =================================================================== --- web/includes/functions.php (revision 3487) +++ web/includes/functions.php (revision 3488) @@ -2353,8 +2353,8 @@ function detaintPath( $path ) { // Remove any absolute paths, or relative ones that want to go up - $path = preg_replace( '/\.\.\//', '', $path ); - $path = preg_replace( '/^\//', '', $path ); + $path = preg_replace( '/\.\.+\/\/*/', '', $path ); + $path = preg_replace( '/^\/\/*/', '', $path ); return( $path ); }