ZoneMinder PHP Objection Injection (2)
The Issue
PHP Object Deserialization Injection attacks utilise the unserialize
function within PHP. The deserialisation of the PHP object can trigger certain methods within the object, allowing the attacker to perform unauthorised actions like execution of code, disclosure of information, etc.
The ZoneMinder project overly trusted user input when processing the data obtained from a form.
Where the Issue Occurred
Displayed below is the code within the ZoneMinder project containing the vulnerable code (line 216 zoneminder/web/skins/classic/views/onvifprobe.php#L216):
$probe = unserialize(base64_decode($_REQUEST['probe']));
Disclosure Timeline
- Issue Reported: 24th October 2018
- Blog Post Published: 28th October 2018
- Applied for CVE: