Headline
CVE-2022-39285: Only perform actions on post. Doing them on GET allows doing actions … · ZoneMinder/zoneminder@c0a4c05
ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current “tr” “td” brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the “view=log” page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions 1.36.27 and 1.37.24. Users are advised to upgrade. Users unable to upgrade should disable database logging.
@@ -203,8 +203,12 @@
require_once $includeFile;
}
if ( isset($_REQUEST[‘action’]) )
$action = detaintPath($_REQUEST[‘action’]);
if (isset($_POST[‘action’])) {
# Actions can only be performed on POST because we don’t check csrf on GETs.
$action = detaintPath($_POST[‘action’]);
} else if (isset($_REQUEST[‘action’])) {
ZM\Error(‘actions can no longer be performed without POST.’);
}
# The only variable we really need to set is action. The others are informal.
isset($view) || $view = NULL;