CVE-2023-25825
📋 TL;DR
ZoneMinder versions before 1.36.33 are vulnerable to stored cross-site scripting (XSS) through malicious referrer field injection in database logs. When administrators view logs in the web interface, the unescaped malicious content executes in their browser context. This affects all ZoneMinder installations with web UI access.
💻 Affected Systems
- ZoneMinder
📦 What is this software?
Zoneminder by Zoneminder
Zoneminder by Zoneminder
⚠️ Risk & Real-World Impact
Worst Case
An attacker could inject malicious JavaScript that executes with administrator privileges when logs are viewed, potentially leading to session hijacking, credential theft, or complete system compromise.
Likely Case
Attackers inject malicious scripts that execute when administrators review logs, potentially stealing session cookies or performing actions as the administrator.
If Mitigated
With proper input validation and output encoding, the malicious referrer data would be treated as text rather than executable code, preventing XSS.
🎯 Exploit Status
Exploitation requires ability to inject malicious referrer data into logs, which typically requires some level of access or ability to manipulate HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.36.33
Vendor Advisory: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-68vf-g4qm-jr6v
Restart Required: Yes
Instructions:
1. Backup your ZoneMinder configuration and database. 2. Update ZoneMinder to version 1.36.33 or later using your package manager or from source. 3. Restart the ZoneMinder service and web server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Web UI Log Viewing
linuxPrevent access to the log viewing functionality in the web interface
# Modify ZoneMinder web configuration to restrict log access
# Or use web server access controls to block /zm/index.php?view=log
Implement WAF Rules
linuxAdd web application firewall rules to block malicious referrer headers
# Example mod_security rule for Apache:
SecRule REQUEST_HEADERS:Referer "@rx <script" "id:1001,phase:1,deny,status:403"
🧯 If You Can't Patch
- Implement strict input validation for referrer headers at the web server level
- Disable or restrict access to the log viewing interface for all users
🔍 How to Verify
Check if Vulnerable:
Check ZoneMinder version via web interface or command line. Versions below 1.36.33 are vulnerable.Check Version:
zmupdate.pl -v 2>/dev/null | grep Version || grep ZM_VERSION /usr/share/zoneminder/db/zmupdate.sqlVerify Fix Applied:
After updating, verify version is 1.36.33 or higher and test that referrer data in logs is properly escaped when viewed.📡 Detection & Monitoring
Log Indicators:
- Unusual referrer headers containing script tags or JavaScript in ZoneMinder logs
- Multiple failed attempts with crafted referrer values
Network Indicators:
- HTTP requests with suspicious referrer headers containing script tags or encoded JavaScript
SIEM Query:
source="zoneminder" AND (referrer="*<script*" OR referrer="*javascript:*")🔗 References
- https://github.com/ZoneMinder/zoneminder/commit/4637eaf9ea530193e0897ec48899f5638bdd6d81
- https://github.com/ZoneMinder/zoneminder/commit/57bf25d39f12d620693f26068b8441b4f3f0b6c0
- https://github.com/ZoneMinder/zoneminder/commit/e1028c1d7f23cc1e0941b7b37bb6ae5a04364308
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-68vf-g4qm-jr6v
- https://github.com/ZoneMinder/zoneminder/commit/4637eaf9ea530193e0897ec48899f5638bdd6d81
- https://github.com/ZoneMinder/zoneminder/commit/57bf25d39f12d620693f26068b8441b4f3f0b6c0
- https://github.com/ZoneMinder/zoneminder/commit/e1028c1d7f23cc1e0941b7b37bb6ae5a04364308
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-68vf-g4qm-jr6v
