DB Electronica Telecomunicazioni Mozart FM Transmitter Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue resides in the 'status_contents.php' file, where the application fails to properly validate uploaded files before moving them to a designated directory. This lack of server-side extension validation and MIME type verification enables attackers to upload malicious files, such as PHP scripts, under the guise of legitimate firmware files.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary file uploads, which could be leveraged to execute malicious files on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'status_contents.php' with a file upload. The uploaded file can be a PHP script disguised as a '.tgz' file, bypassing the application's client-side extension check. Once uploaded, the file can be executed through another endpoint that extracts files from the 'settings' directory.