zoneminder (1.25.0-4+deb7u1) wheezy-security; urgency=high

 Information disclosure and authentication bypass vulnerability exists in 
 the Apache HTTP Server configuration bundled with ZoneMinder, which 
 allows a remote unauthenticated attacker to browse all directories in the 
 web root, e.g., a remote unauthenticated attacker can view all CCTV images
 on the server.

 In order to prevent this for existing installations, just change the 
 Options statement in your Apache configuration from:
     Options Indexes FollowSymLinks
 to:
     Options -Indexes +FollowSymLinks

 or shown at the complete configuration snippet  in /etc/zm/apache.conf:

   Alias /zm /usr/share/zoneminder

   <Directory /usr/share/zoneminder>
     php_flag register_globals off
     Options Indexes FollowSymLinks
     <IfModule mod_dir.c>
       DirectoryIndex index.php
     </IfModule>
   </Directory>


 to:

   Alias /zm /usr/share/zoneminder

   <Directory /usr/share/zoneminder>
     php_flag register_globals off
     Options -Indexes +FollowSymLinks
     <IfModule mod_dir.c>
       DirectoryIndex index.php
     </IfModule>
   </Directory>

 
 -- Thorsten Alteholz <debian@alteholz.de>  Fri, 27 Jan 2017 19:03:02 +0100
