Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <69c817560b7e40d0995ab6ed8b2e8f32@imshyb01.MITRE.ORG>
Date: Sat, 4 Feb 2017 21:32:29 -0500
From: <cve-assign@...re.org>
To: <advisories@...mole.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: [FOXMOLE SA 2016-07-05] ZoneMinder - Multiple Issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
> The following findings are only examples there are quite more.

> 1)Cross Site Scripting (XSS)

> [] index.php?view=request&
> request=log&
> task=download&
> key=a9fef1f4&
> format=[XSS]

Use CVE-2016-10201.


> [] index.php/[XSS]

Use CVE-2016-10202.


> [] Creating a new monitor using [XSS in] the name

Use CVE-2016-10203.


> [] 2)SQL Injection
> Parameter: limit (POST)

Use CVE-2016-10204.


> [] 3)Session Fixation
> After a successful authentication the Session Cookie ZMSESSID remains the same.

Use CVE-2016-10205.


> [] 4)No CSRF Protection
> A possible CSRF attack form, which changes the password of the admin

Use CVE-2016-10206.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYlo37AAoJEHb/MwWLVhi2nWEP/219hKMVosSqRw9bj9SbRjbL
bRGYYuYjwbE7/JWLFL0o0IdjoO3Rndkwg39SAn4Bf92ZbSk+mrTLDHyM+sOI0JBD
5m9/yE1Oh/Nnlw0dwNSL74Qo1LeHlj6Dq1WbALwQy+Nr46PYrKTeK2RyOFtX2mXF
ogzDiPv6vzkRaAp90T5eVkTLUm6WUhvo0lsE0w2B5iJLDXZ9JWyCyRiagJhwTqCa
pRfvRG/0k6rar7lsyxVVC1LhAAhKiJUo7ZKH+3RAcvd+0S0FOWUH2SEhiDpqvnQS
WAx8Y/iE6Ijuymlmd0U+CeEg3dIpnqFu6haof/m+g5pNFXJlQbnElwW80rH2b56n
rhG8xNx+hd9tUKqtfTIX+T4dXkGcWEe5A9dqBN6BNmzNXWJ6tmSuFyGTDfsyMWxH
ima3jgZVmoIYlVxfUXNrUMetsdD1nDr1bGFsecN+WV8JaTf9lo1vEum1NHMr4ruC
hxFmDVGsmxJa2VEmqcRrAGs6JYvJKiQT0gu7y8g2EeYzRiprdlh9sLaPnG9aXgQa
M+OD0M2tgcc4hFCbS65jxyf8NmaIKBR2UuApkDQxIO4uv7neuIuBvJr16STE2baZ
jkWbYAtZDyXtJ5Vs5+Nb6IhdYcq6eW6/2qfz7AI48cSZHWop6l8o6q01VkgrLU/h
0pxDmijjxjLENgyn6Mg0
=jw7Y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.