FixVibe
Covered by FixVibehigh

. ZoneMinder Apache uppsetingar upplýsingar (CVE-2016-10140) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1. ZoneMinder 1.29 og 1.30 innihalda eina Apache feil uppseting, sum ger, at ógóðkend mappukaging og møguliga góðkenning kann umkoyrast. ZXCVFIXVIBESEND ZXCVFIXVIBESEG2. ZoneMinder útgávur 1.29 og 1.30 eru ávirkaðar av eini bundnari Apache HTTP-ambætara feil uppseting. Hesin feilurin ger, at fjarskotnir, ógóðkendir álopsmenn kunnu kaga í vevrótarmappuni, og tað kann føra til viðkvæmar upplýsingar og umkoyring av góðkenning. ZXCVFIXVIBESEND ZXCVFIXVIBESEG3. ## Ávirkan ZXCVFIXVIBESEND ZXCVFIXVIBESEG4. Ein fjarskottur, ógóðkendur álopsmaður kann kaga í mappur innan vevrótina hjá eini ZoneMinder uppseting CVE-2016-10140. Hendan útsetningurin ger tað møguligt at lata viðkvæmar skipanarupplýsingar og kann føra til eina fullkomna sannroyndarkoyring, sum gevur ólógliga atgongd til stýringsgrunnflatuna hjá forritinum ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG5. ## Rótorsøk ZXCVFIXVIBESEND ZXCVFIXVIBESEG6. Sárbarleikin er orsakaður av feilum Apache HTTP-ambætara uppseting, sum er bundin við ZoneMinder útgávum 1.29 og 1.30 CVE-2016-10140. Uppsetingin megnar ikki at avmarka skrásetingar indeksering, sum førir til, at vevtænarin tænir skrásetingar til ógóðkendar brúkarar ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG7. ## Tilbúgving ZXCVFIXVIBESEND ZXCVFIXVIBESEG8. Fyri at viðgera hetta málið, skulu umsitarar dagføra ZoneMinder til eina útgávu, sum inniheldur eina rættaða vevtænara uppseting CVE-2016-10140. Um ein beinanvegin dagføring ikki er møgulig, skulu Apache uppsetingarfílurnar, sum eru knýttar at ZoneMinder uppsetingini, herðast manuelt fyri at sløkkja mappuindeksering og umsita strangar atgongdarstýringar á vevrótini ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG9. ## Uppdaganargransking ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 Gransking av hesum sárbarleika vísir, at uppdagan fevnir um at eyðmerkja ZoneMinder tilburðir og royna at fáa atgongd til vevrótina ella kendar undirmappur uttan autentikatión CVE-2016-10140. Ein sárbær tilstandur er vanliga vístur við, at vanlig skrásetingarmynstur eru til staðar, so sum "Index of /" streingurin, í HTTP svarkroppinum, tá eingin gyldug seta er til staðar ZXCVFIXVIBETOKEN1ZXCV.

ZoneMinder versions 1.29 and 1.30 are affected by a bundled Apache HTTP Server misconfiguration. This flaw allows remote, unauthenticated attackers to browse the web root directory, potentially leading to sensitive information disclosure and authentication bypass.

CVE-2016-10140CWE-200

Impact

A remote, unauthenticated attacker can browse directories within the web root of a ZoneMinder installation [S1]. This exposure allows for the disclosure of sensitive system information and can lead to a complete authentication bypass, granting unauthorized access to the application's management interface [S1].

Root Cause

The vulnerability is caused by a flawed Apache HTTP Server configuration bundled with ZoneMinder versions 1.29 and 1.30 [S1]. The configuration fails to restrict directory indexing, which results in the web server serving directory listings to unauthenticated users [S1].

Remediation

To address this issue, administrators should update ZoneMinder to a version that includes a corrected web server configuration [S1]. If an immediate upgrade is not possible, the Apache configuration files associated with the ZoneMinder installation should be manually hardened to disable directory indexing and enforce strict access controls on the web root [S1].

Detection Research

Research into this vulnerability indicates that detection involves identifying ZoneMinder instances and attempting to access the web root or known subdirectories without authentication [S1]. A vulnerable state is typically indicated by the presence of standard directory listing patterns, such as the "Index of /" string, in the HTTP response body when no valid session is present [S1].