NUUO Camera Command Injection Vulnerability in handle_config.php
Vulnerability
A critical command injection vulnerability has been identified in NUUO Camera versions prior to 20250203. The issue resides in the handle_config.php file, specifically within the print_file function. The vulnerability allows remote attackers to execute arbitrary commands by manipulating the log parameter. This exploitation does not require authentication.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the affected system.
Reproduction
To reproduce this vulnerability, send a crafted HTTP request to the handle_config.php file, including a manipulated log parameter. This will trigger the command injection by concatenating the parameter value into the print_file function, executing the injected commands on the server.
Remediation
It is recommended to implement restrictive firewall rules to block unauthorized access to the vulnerable application.