Boolean-based SQL Injection in ZoneMinder v1.37.\* <= 1.37.64
=============================================================
Critical
[connortechnology](https://github.com/connortechnology) published GHSA-qm8h-3xvf-m7j3 5 days ago
Package
-------
zoneminder (apt, ppa, aur)
Affected versions
-----------------
1.37.\*<=1.37.64
Patched versions
----------------
1.37.65
Description
-----------
### Summary
ZoneMinder v1.37.\* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of **web/ajax/event.php**.
### Details
In **web/ajax/event.php**, I found the vulnerable code:
case 'removetag' :
$tagId = $_REQUEST['tid'];
dbQuery('DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?', array($tagId, $_REQUEST['id']));
$sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
$rowCount = dbNumRows($sql);
if ($rowCount < 1) {
$sql = 'DELETE FROM Tags WHERE Id = ?';
$values = array($_REQUEST['tid']);
$response = dbNumRows($sql, $values);
ajaxResponse(array('response'=>$response));
}
Notice that **$tagId** is put directly inside **$sql** command and then execute. So we can confirm it is vulnerable to SQL Injection.
### PoC
Although it is not possible to execute the command directly through directory, after reading the documents, here is the url:
http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1
and the function tid is vulnerable to SQL Injection.
I used sqlmap to automate the exploitation process through this command:
sqlmap -u 'http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1'
Here is the PoC video:
[https://github.com/user-attachments/assets/3cc50e51-68cf-4540-8225-4288f73e0c08](https://github.com/user-attachments/assets/3cc50e51-68cf-4540-8225-4288f73e0c08)
### Impact
Total control of SQL Databases: loss of data confidentiality and integrity, denial of service with SLEEP command.
### Mitigation
Here is the code modification to patch the vulnerability:
$sql = "SELECT * FROM Events_Tags WHERE TagId = ?";
$rowCount = dbNumRows($sql, $tagId);
The code update the parameterized query through the vulnerable component.
Unavailable Comments