ZmMiner is a php script that hooks into the zoneminder logging system and is used to extract data from the server and display it in a web-based interface. A vulnerability in the zmMiner web-application could allow an attacker to inject new data into the logs stored by zoneminder and obtain unauthorized access to the server. This can be exploited by malicious users to gain unauthorized access to the server or to inject spam into the server's logs and make the server appear to be infected with spyware. ZmMiner is not part of the zoneminder system and cannot be upgraded or removed. There are no workarounds for this issue.
This issue does not affect Zoneminder installation running on a Linux operating system. In a Linux installation, the web-application is an Apache module and is not part of the zoneminder installation.
Bug Description
A vulnerability in the zmMiner web-application could allow an attacker to inject new data into the logs stored by zoneminder and obtain unauthorized access to the server. This can be exploited by malicious users to gain unauthorized access to the server or to inject spam into the server's logs and make the server appear to be infected with spyware. ZmMiner is not part of the zoneminder system and cannot be upgraded or removed.
Description of Vulnerability
The ZmMiner is a php script that hooks into the zoneminder logging system and is used to extract data from the server and display it in a web-based interface. A vulnerability in the ZmMiner web-application could allow an attacker to inject new data into the logs stored by zoneminder and obtain unauthorized access to the server. This can be exploited by malicious users to gain unauthorized access to the server or to inject spam into the server's logs, and make the server appear to be infected with spyware. ZmMiner is not part of the zoneminder system and cannot be upgraded or removed. There are no workarounds for this issue.
Vulnerability Overview
If the zmMiner web-application is installed on a Linux machine, then this issue does not affect the system. If the zmMiner web-application is installed on a Windows machine, then this issue can allow a malicious user to execute arbitrary code with the privileges of the web-application's user and gain unauthorized access to the server.
Zoneminder has released ZM 6.0.6 which addresses these vulnerabilities by changing affected scripts so that they no longer use php magic quotes. The following versions of ZM are also affected:
ZM 5.0 - 6.3 (all versions)
Vulnerable code: Point of Attack
The vulnerable code is the zmMiner component of the web-application. The vulnerable code is located in the index.php file which is used to load and display information from the server logs.
Vulnerability Details
The vulnerability is found in the zmMiner web-application. There are no workarounds for this issue.
This issue does not affect Zoneminder installation running on a Linux operating system. In a Linux installation, the web-application is an Apache module and is not part of the zoneminder installation.
Timeline
Published on: 10/07/2022 21:15:00 UTC
Last modified on: 10/11/2022 16:54:00 UTC
References
- https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4
- https://github.com/ZoneMinder/zoneminder/commit/cb3fc5907da21a5111ae54128a5d0b49ae755e9b
- https://github.com/ZoneMinder/zoneminder/commit/de2866f9574a2bf2690276fad53c91d607825408
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-cfcx-v52x-jh74
- https://github.com/ZoneMinder/zoneminder/commit/73d9f2482cdcb238506388798d3cf92546f9e40c
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39291