DB Electronica Mozart FM Transmitter Unauthenticated Arbitrary File Read Vulnerability via Null Byte Injection

A vulnerability allowing unauthenticated arbitrary file read has been identified in DB Electronica Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue arises in the 'download_setting.php' endpoint, which constructs file paths by appending user-controlled 'filename' parameters with a mandatory '.tgz' extension. The application, running on PHP versions prior to 5.3.4, is susceptible to null byte injection, enabling attackers to bypass the extension restriction and traverse directories. By injecting a null byte into the filename parameter, attackers can manipulate the file path to access sensitive files, such as '/etc/passwd', leading to unauthorized file disclosure.

Impact

Exploitation of this vulnerability allows for unauthenticated access to arbitrary files readable by the web server user, potentially disclosing sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the 'download_setting.php' endpoint with the 'filename' parameter set to traverse the file system and access sensitive files. The null byte injection can be achieved by URL-encoding the null byte (%00) after the desired file path, effectively bypassing the appended '.tgz' extension and allowing the requested file to be read.