FixVibe
Covered by FixVibehigh

ZXCVVAKATAWASEWASEGI0. Vakaraitaka na itukutuku ni veivakadeitaki ni Apache ni ZoneMinder (ZXCV) ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE1 ZoneMinder 1.29 kei na 1.30 e tiko kina e dua na cala ni Apache ka vakatara na vakadidike ni dairekita sega ni vakadeitaki kei na kena rawa ni vakadeitaki na sala. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE2. Na vakadewa ni ZoneMinder 1.29 kei na 1.30 e vakaleqai ena dua na cala ni veiqaravi ni HTTP ni Apache. Na cala oqo e rawa kina vei ira na dauvakacaca vakayawa, sega ni vakadeitaki me ra vakaraica na itukutuku ni root ni itukutuku, e rawa ni vakavuna na vakatakilai ni itukutuku bibi kei na bypass ni veivakadeitaki. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE3. ## Veivakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE4. E dua na dauvakacaca vakayawa, sega ni vakadeitaki e rawa ni vakaraica na veidusimaki ena loma ni itukutuku ni dua na ZoneMinder vakacurumi ZXCVVIBETOKEN0ZXCV. Na vakaraitaki oqo e rawa kina na kena vakatakilai na itukutuku ni ivakarau bibi ka rawa ni vakavuna e dua na bypass ni veivakadeitaki taucoko, solia na sega ni vakadonui na curu ki na veitaratara ni veiliutaki ni kerekere ZXCVFIXVIBETOKEN1ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEGA5. ## Vuna ZXCVVAKATAWASEWASEI ZXCVVAKAVUVULI6. Na malumalumu e vakavuna e dua na cala ni Apache HTTP ni veiqaravi ni veivakadeitaki ni veivakadeitaki ni ZoneMinder 1.29 kei na 1.30 CVE-2016-10140. Na veivakatorocaketaki e sega ni vakatabuya na indexing ni dairekita, ka vakavuna na itukutuku ni veiqaravi ni veiqaravi ni lisi ni dairekita ki na vakayagataki sega ni vakadeitaki ZXCVFIXVIBETOKEN1ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE77. ## Veivakadodonutaki ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEG8. Me wali na leqa oqo, e dodonu me ra vakavoutaka na vakailesilesi na ZoneMinder ki na dua na vakadewa e okati kina e dua na ituvatuva ni veiqaravi ni itukutuku vakadodonutaki CVE-2016-10140. Kevaka e sega ni rawa e dua na vakatorocaketaki totolo, na faile ni veivakatorocaketaki ni Apache e salavata kei na vakacurumi ni ZoneMinder e dodonu me vakaukauwataki ena liga me vakaleqa na indexing ni dairekita ka vakayacora na lewa kaukauwa ni curu ena yavu ni itukutuku ZXCVFIXVIBETOKEN1ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE9. ## Vakadidike ni kena kunei ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI10 Na vakadidike ena malumalumu oqo e vakaraitaka ni kena kunei e oka kina na kena kilai na ivakaraitaki ni ZoneMinder kei na kena sagai me rawati na vu ni itukutuku se kilai na veivanua lalai ka sega na veivakadeitaki CVE-2016-10140. E dua na ituvaki vakaloloma e dau vakaraitaki ena kena tiko na ivakarau ni lisi ni dairekita ni ivakatagedegede, me vaka na "Index ni /" na wa, ena yago ni isau ni HTTP ni sega ni dua na soqoni dodonu e tiko ZXCVFIXVIBETOKEN1ZXCV.

ZoneMinder versions 1.29 and 1.30 are affected by a bundled Apache HTTP Server misconfiguration. This flaw allows remote, unauthenticated attackers to browse the web root directory, potentially leading to sensitive information disclosure and authentication bypass.

CVE-2016-10140CWE-200

Impact

A remote, unauthenticated attacker can browse directories within the web root of a ZoneMinder installation [S1]. This exposure allows for the disclosure of sensitive system information and can lead to a complete authentication bypass, granting unauthorized access to the application's management interface [S1].

Root Cause

The vulnerability is caused by a flawed Apache HTTP Server configuration bundled with ZoneMinder versions 1.29 and 1.30 [S1]. The configuration fails to restrict directory indexing, which results in the web server serving directory listings to unauthenticated users [S1].

Remediation

To address this issue, administrators should update ZoneMinder to a version that includes a corrected web server configuration [S1]. If an immediate upgrade is not possible, the Apache configuration files associated with the ZoneMinder installation should be manually hardened to disable directory indexing and enforce strict access controls on the web root [S1].

Detection Research

Research into this vulnerability indicates that detection involves identifying ZoneMinder instances and attempting to access the web root or known subdirectories without authentication [S1]. A vulnerable state is typically indicated by the presence of standard directory listing patterns, such as the "Index of /" string, in the HTTP response body when no valid session is present [S1].