Hi James Disclaimer: Only did a quick check.
On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote: > Control: tag -1 patch > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote: > > Some additional information: In most usual cases where zoneminder is > > set up, there should be authentication first. So this limits somehow > > the vulnerability. > > The attached patch should address the issue, but I don't have a setup to > test. I rebuilded the package with your patch and tested it shortly in a VM installing zoneminder. It now does not seem possible anymore to inject a command to be executed with webserver user rights. Thanks for working on this James. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
