Impact
The path to write logs to can be set to "/usr/share/zoneminder/www/lang" (where the languages are located). You can give any name to the file as long as it has a ".php" extension (because Zm checks if the "language".php exist in the language path), in this case for example "rce.php".
Change the settings of any user on the platform and enter as the value of the "Home View" a payload in php that executes a command such as "$output"; ?>"
Set as the language of this user, the log file that was created earlier, in this case "rce.php". (By intercepting and modifying the request, bypassing the client side control of the language you can choose)
The application will log everything that was done in the file "rce.php" including the php payload so it was possible to poison the log.
Finally you then just have to log in with that user and instead of the home, you will be presented with the log file with the output of the php payload command that was injected earlier inside and you can then execute any command on the remote machine.
Patches
Release 1.36.34 will contain the fixes. Fixed by:
c83f179
Workarounds
Users must upgrade
Impact
The path to write logs to can be set to "/usr/share/zoneminder/www/lang" (where the languages are located). You can give any name to the file as long as it has a ".php" extension (because Zm checks if the "language".php exist in the language path), in this case for example "rce.php".
Change the settings of any user on the platform and enter as the value of the "Home View" a payload in php that executes a command such as "$output"; ?>"
Set as the language of this user, the log file that was created earlier, in this case "rce.php". (By intercepting and modifying the request, bypassing the client side control of the language you can choose)
The application will log everything that was done in the file "rce.php" including the php payload so it was possible to poison the log.
Finally you then just have to log in with that user and instead of the home, you will be presented with the log file with the output of the php payload command that was injected earlier inside and you can then execute any command on the remote machine.
Patches
Release 1.36.34 will contain the fixes. Fixed by:
c83f179
Workarounds
Users must upgrade