Multiple Vulnerabilities identified in ZoneMinder
February 11, 2019
ZoneMinder is an open source surveillance software system provider which stands best in delivering the high standard state of art surveillance cameras and other related security solutions which mainly concentrate on functions like capturing, analyzing, recording and monitoring of CCTV or security cameras. ZoneMinder allows you monitor as you wish irrespective of the size and scope of the target environment. The application mainly concentrates on Home Security, Theft Prevention, Industrial and Commercial Security and also on Household security surveillance services.
Vulnerability Detected: Cross Site Scripting Attack (XSS)
Impact: XSS attacks mainly focus on implanting the malicious code into the trusted websites which lays the path for the attacker to invade into the system with the help of implanted code upon execution.
Vulnerability Detected: Cross Site Request Forgery (CSRF)
Impact: CSRF attack target the state changing requests and tries to force the end user to execute the unwanted or malicious code on the web application. These attacks also attract the victim user to perform the web actions as guided by the attacker such as changing the email address or password or even transferring the funds from one account to the other.
Vulnerability Detected: Log Injection
Impact: Unvalidated user input data is injected into the log file, causing the addition of custom log events into the web page.
Vulnerability Detected: Session Fixation
Impact: Attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim’s account.
Vulnerability Detected: Stack Overflow
Impact: When the memory input exceeds the limit of the the stack an overflow occurs resulting in the data exploitation. This is high severity case as it tends to perform the arbitrary code execution or may cause Denial of Service.
Vulnerability Detected: TOCTOU Race Condition
Impact: The TOCTOU vulnerability affects the system behavior and triggers the uncontrollable events as the sequence timing is exploited.
Vendor Disclosure: 2019-01-24
Public Disclosure: 2019-02-11
Discovered by ACE Team – Loginsoft