DB Electronica Mozart FM Transmitter Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A file upload vulnerability has been identified in the web management interface of the DB Electronica Mozart FM Transmitter, specifically in version WEBMOZZI-00287. The vulnerability resides in the '/patch.php' endpoint, where an authenticated user with administrative privileges can upload arbitrary files, such as PHP web shells. These files are stored in the '/patch/' directory, enabling the execution of arbitrary commands on the server and potentially leading to a complete system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to execute malicious scripts on the server. This could result in unauthorized access to the system, data manipulation, or a full system compromise, giving the attacker complete control over the server.

Reproduction

To reproduce this vulnerability, log into the Mozart FM Transmitter web interface as an administrator. Navigate to the '/patch.php' endpoint and upload a malicious PHP web shell. Once the file is uploaded, it can be accessed via the '/patch/' directory, where the web shell can be executed to run arbitrary commands on the server.

Remediation

It is recommended to implement file type and content validation to restrict uploads to safe file types and ensure that the content matches its intended purpose. Additionally, uploaded files should be stored outside of web-accessible directories, and access to the '/patch.php' endpoint should be restricted to authorized personnel only.