Some security vulnerabilities in v1.32.3

[LoRexxar]

Describe Your Environment

• ZoneMinder v1.32.3

Describe the bug
some security vulnerabilities in v1.32.3

To Reproduce
some details in some datails

Expected behavior
The above problems can lead to user information leakage, unauthorized operation, server command execution...

[mnoorenberghe]

Progress:

• skins/classic/views/events.php line 44 sql injection (Validate cnj, obr, and cbr arguments in parseFilter #2434)
• sql query error Reflected xss (41dab07)
• skins/classic/views/control.php line 35 second order sqli (skins/classic/views/control.php second order sqli #2422)
• skins/classic/views/controlcap.php Reflected xss (controlcap.php: Reflected xss fix with validHtmlStr #2423)
• includes/functions.php daemonControl command injection (f2920c3)
• ajax/status.php line 276 orderby sql injection (Fix ajax/status.php orderby sql injection #2421)
• ajax/status.php line 393 sql injection (Validate cnj, obr, and cbr arguments in parseFilter #2434)

[mnoorenberghe]

I think all issues are addressed once #2434 is merged. I've also been adding CSP for script-src to some pages to mitigate XSS in the future.

[LoRexxar]

This sounds like a good decision.

[mnoorenberghe]

I guess this can be closed now. Thanks for the report!