NUUO Arbitrary File Deletion Vulnerability Vendor: NUUO Inc. Product web page: Affected version: <=3.0.8 Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always. Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected POST/GET parameter. ================================================================== /deletefile.php: ---------------- 1: ================================================================== Tested on: GNU/Linux 3.0.8 (armv7l) GNU/Linux (armv5tel) lighttpd/1.4.28 PHP/5.5.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic % # Iranian Exploit DataBase = http://IeDb.Ir [2016-08-08]