CVE-2017-7203 - Cross-Site Scripting (XSS)

[bestshow]

Product：ZoneMinder Download: https://github.com/ZoneMinder/ZoneMinder Vunlerable Version: 1.30.2 and probably prior Tested Version: 1.30.2 Author: ADLab of Venustech

Advisory Details: I have discovered a Cross-Site Scripting (XSS) in “ZoneMinder”, which can be exploited to execute arbitrary code. The vulnerability exists due to insufficient filtration of user-supplied data in “postLoginQuery” HTTP POST parameter passed to “ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox: Poc: Post: postLoginQuery=>< To http://localhost/.../ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php

[connortechnology]

It is not exactly clear how to reproduce this. A better example would help. However, I propose that we use urlencode on the passed POST data for now...

For future releases, I propose that we move all skin content out of the direct doc root so that we can't post to it directly.

[bestshow]

Using "POST" method pass the parameter "postLoginQuery" which value is "><" to the affected the URL "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php",and you will see the pop-up messagebox.

[connortechnology]

Please note that this requires a misconfiguration of apache. Only index.php should be executable as a php script.

[mnoorenberghe]

Please note that this requires a misconfiguration of apache. Only index.php should be executable as a php script.

Why do you think that? Every setup I've used enables PHP for all files with the .php extension. See line 1 of Ubuntu's configuration: https://www.apt-browse.org/browse/ubuntu/xenial/main/i386/libapache2-mod-php7.0/7.0.4-7ubuntu2/file/etc/apache2/mods-available/php7.0.conf

Changing the suffix is a better way to stop it from being executed e.g. .php.inc but I'm not even sure that will fix the core problem here as it may still be exploited from the regular login form (haven't tested yet).

[mnoorenberghe]

I'm making a patch for this btw.

[carnil]

This has been assigned CVE-2017-7203

[SteveGilvarry]

Slight issue being 1.30.2 is not released, it should be 1.30.2-rc.1, simply because we are reviewing the patch for this now and 1.30.2 won't have issue.