ZoneMinder SQL Injection Vulnerability in Event Management

A second-order SQL injection vulnerability has been identified in ZoneMinder versions 1.36.37 and prior, as well as 1.37.61 through 1.38.0. The issue resides in the 'web/ajax/status.php' file, specifically within the 'getNearEvents()' function. While event field values such as 'Name' and 'Cause' are initially stored securely using parameterized queries, they are later retrieved and directly concatenated into SQL WHERE clauses without proper escaping. This vulnerability allows an authenticated user with event editing and viewing permissions to execute arbitrary SQL queries.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could lead to unauthorized data access, modification, or deletion. Additionally, such SQL injection vulnerabilities can be leveraged to execute administrative database operations or, in some cases, issue commands to the operating system.

Reproduction

To reproduce this vulnerability, an authenticated user with event editing permissions can rename an existing event by injecting a SQL payload into the 'Name' or 'Cause' fields. This payload is then retrieved and executed as part of a SQL query in the 'getNearEvents()' function, exploiting the injection flaw. The injected SQL can be crafted to, for example, extract sensitive information such as password hashes from the database.

Remediation

The vulnerability has been patched in ZoneMinder versions 1.38.1 and 1.36.38. Users should upgrade to these versions. Additionally, it's recommended to whitelist expected field names for the 'sort_field' parameter to prevent injection attacks.