Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-7203 - Cross-Site Scripting (XSS) #1797

Closed
bestshow opened this issue Feb 28, 2017 · 7 comments
Closed

CVE-2017-7203 - Cross-Site Scripting (XSS) #1797

bestshow opened this issue Feb 28, 2017 · 7 comments

Comments

@bestshow
Copy link

bestshow commented Feb 28, 2017

Product:ZoneMinder
Download: https://github.com/ZoneMinder/ZoneMinder
Vunlerable Version: 1.30.2 and probably prior
Tested Version: 1.30.2
Author: ADLab of Venustech

Advisory Details:
I have discovered a Cross-Site Scripting (XSS) in “ZoneMinder”, which can be exploited to execute arbitrary code.
The vulnerability exists due to insufficient filtration of user-supplied data in “postLoginQuery” HTTP POST parameter passed to “ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox:
Poc:
Post: postLoginQuery=><script>alert(1);</script><
To
http://localhost/.../ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php

@connortechnology
Copy link
Member

It is not exactly clear how to reproduce this. A better example would help. However, I propose that we use urlencode on the passed POST data for now...

For future releases, I propose that we move all skin content out of the direct doc root so that we can't post to it directly.

@bestshow
Copy link
Author

bestshow commented Mar 2, 2017

Using "POST" method pass the parameter "postLoginQuery" which value is "><script>alert(1);</script><" to the affected the URL "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php",and you will see the pop-up messagebox.

@connortechnology
Copy link
Member

Please note that this requires a misconfiguration of apache. Only index.php should be executable as a php script.

@mnoorenberghe
Copy link
Contributor

Please note that this requires a misconfiguration of apache. Only index.php should be executable as a php script.

Why do you think that? Every setup I've used enables PHP for all files with the .php extension. See line 1 of Ubuntu's configuration: https://www.apt-browse.org/browse/ubuntu/xenial/main/i386/libapache2-mod-php7.0/7.0.4-7ubuntu2/file/etc/apache2/mods-available/php7.0.conf

Changing the suffix is a better way to stop it from being executed e.g. .php.inc but I'm not even sure that will fix the core problem here as it may still be exploited from the regular login form (haven't tested yet).

@mnoorenberghe
Copy link
Contributor

I'm making a patch for this btw.

@carnil
Copy link

carnil commented Mar 21, 2017

This has been assigned CVE-2017-7203

@SteveGilvarry
Copy link
Member

Slight issue being 1.30.2 is not released, it should be 1.30.2-rc.1, simply because we are reviewing the patch for this now and 1.30.2 won't have issue.

@SteveGilvarry SteveGilvarry changed the title ZoneMinder - Cross-Site Scripting (XSS) CVE-2017-7203 - Cross-Site Scripting (XSS) Mar 21, 2017
connortechnology added a commit that referenced this issue Mar 21, 2017
Properly escape postLoginQuery. Fixes #1797
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants