Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XDbbroadcast Mozart Dds Next 100
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 1000
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 1000 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 100 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 2000
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 2000 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 30
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 300
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 3000
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 3000 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 300 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 30 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 3500
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 3500 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 50
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 500
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 500 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 50 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 6000
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 6000 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 7000
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Dds Next 7000 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 100
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 1000
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 1000 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 100 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 2000
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 2000 Firmware
OSDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 30
HWDbbroadcastwszystkie wersjeDbbroadcast Mozart Next 300
HWDbbroadcastwszystkie wersje
Related vulnerabilities
Nieuwierzytelniony arbitrary file upload w DB Electronica Mozart FM Transmitter
RCE przez brak walidacji pliku firmware w DB Electronica Mozart FM Transmitter
Nieuwierzytelniony arbitrary file upload w DB Electronica Mozart FM Transmitter
Nieuwierzytelniony OS Command Injection w DB Electronica Mozart FM Transmitter
Nieuwierzytelnione usuwanie plików w DB Electronica Mozart FM Transmitter