ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zoneminder/web/api
History
Isaac Connor b036408a5b Fix RCE vulnerability via API config edit privilege escalation 
Add RBAC checks to ConfigsController edit() and delete() requiring
System=Edit permission, matching the pattern used by other controllers.
Harden System/Readonly column checks with !empty() to handle missing
columns gracefully. Fix command injection in Event.php by using
ZM_PATH_FFMPEG constant with escapeshellarg() instead of hardcoded
unsanitized ffmpeg call. Add is_executable() validation at all exec()
sites using ZM_PATH_FFMPEG as defense-in-depth against poisoned config
values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 		2026-02-26 13:51:30 -05:00
..
app Fix RCE vulnerability via API config edit privilege escalation 2026-02-26 13:51:30 -05:00
lib/Cake Upgrade cakephp to 2.10.24 2021-03-31 12:11:12 -04:00
.editorconfig Moved the api to underneath the web directory 2014-04-29 20:41:04 +00:00
CMakeLists.txt Update CMakeLists.txt 2017-05-03 12:35:54 -05:00
CONTRIBUTING.md Upgrade cakephp to 2.10.24 2021-03-31 12:11:12 -04:00
README.md Text corrections 2023-08-27 02:00:59 +02:00
build.properties Upgrade cakephp to 2.10.24 2021-03-31 12:11:12 -04:00
build.xml Upgrade cakephp to 2.10.24 2021-03-31 12:11:12 -04:00
composer.json fix: remove vulnerable phpunit dev dependency (CVE-2026-24765) 2026-02-11 21:59:03 -05:00
index.php Upgrade cakephp to 2.10.24 2021-03-31 12:11:12 -04:00

README.md

ZoneMinder API

This is the ZoneMinder API. It should be, for now, installed under the webroot e.g. /api.

app/Config/database.php.default must be configured and copied to app/Config/database.php

In addition, Security.salt and Security.cipherSeed in app/Config/core.php should be changed.

The API can run on a dedicated / separate instance, so long as it can access the database as configured in app/Config/database.php