Headline
CVE-2023-26038: Local File Inclusion: In `web/ajax/modal.php`
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33.
Affected versions
< 1.36.33, < 1.37.33
Patched versions
1.36.33, 1.37.33
Description
Impact
In web/ajax/modal.php, an arbitrary php file path can be passed in the request and loaded:
$modal = validJsStr($_REQUEST[‘modal’]);
@$result = include(‘modals/’.$modal.’.php’);
Patches
Fixed by 6e417c2
Upgrade to 1.36.33 or 1.37.33.
Workarounds
Apply patch manually
Credits
Manfred Paul