DB Electronica Telecomunicazioni Mozart FM Transmitter Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue resides in the 'patch_contents.php' file, where the '/var/tdf/patch_contents.php' endpoint permits unrestricted file uploads without validating file types, checking MIME headers, or enforcing size limits beyond 16MB. This lack of restriction enables attackers to upload malicious files.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could be used to upload malicious files that may be executed on the server or cause other harm.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/var/tdf/patch_contents.php' endpoint with a file attached. The uploaded file can be of any type, as the server does not validate the file extension or MIME type. The only size restriction is a maximum of 16MB.