DB Electronica Mozart FM Transmitter Unauthenticated Path Traversal Vulnerability Allowing Arbitrary File Deletion

A vulnerability exists in DB Electronica Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue involves unauthenticated path traversal that enables arbitrary file deletion. The vulnerability is triggered through the 'deletehidden' parameter, which allows for the deletion of .tgz files by traversing out of the designated directory and manipulating file paths.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of arbitrary .tgz files from the server, potentially leading to disruption of service or loss of critical data.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'status_contents.php' with the 'deletehidden' parameter. The value of this parameter should include '../' sequences to traverse out of the '/var/www/settings/' directory and target a .tgz file for deletion. The absence of proper input sanitization allows for this path traversal, enabling the deletion of files such as '/var/log/syslog.tgz' if the web server has the necessary permissions.

Remediation

To address this vulnerability, implement input sanitization by using functions like 'basename()' to strip away path traversal sequences. Additionally, ensure that the deletion logic verifies the existence and type of the file before attempting to remove it.