Overview
CVE-2025-66263 is a security vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000. This vulnerability allows an unauthenticated attacker to read arbitrary files on the system due to a null byte injection flaw in the download_setting.php endpoint.
Technical Details
The vulnerability lies in the /var/tdf/download_setting.php endpoint, which is intended for downloading configuration settings. This endpoint constructs file paths by concatenating a user-controlled $_GET['filename'] parameter with the .tgz extension. Due to the application running on PHP 5.3.2 (pre-5.3.4), it is susceptible to null byte injection.
By injecting a null byte (%00) into the filename parameter, an attacker can effectively truncate the file path. For example, a request such as filename=../../../../etc/passwd%00 causes the underlying C functions to treat the null byte as the end of the string, ignoring the appended .tgz extension. This allows the attacker to bypass the intended file extension restriction and traverse the file system. The web server user’s permissions then determine which files can be read. In this example, the /etc/passwd file is disclosed if the web server user has read access.
CVSS Analysis
Due to the provided information, the CVSS score is unavailable at this time (N/A). A proper CVSS score depends on multiple factors including attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. Since the vulnerability allows unauthenticated arbitrary file read, the confidentiality impact would be considered high. A full CVSS analysis would be required to accurately determine the CVSS score.
Possible Impact
The exploitation of this vulnerability can lead to:
- Information Disclosure: Attackers can read sensitive configuration files, system files (e.g.,
/etc/passwd), and potentially database credentials. - Privilege Escalation: Information gathered from disclosed files can be used to escalate privileges on the system.
- System Compromise: In severe cases, the attacker might be able to gain full control of the device by leveraging the disclosed information to exploit other vulnerabilities.
Mitigation and Patch Steps
To mitigate this vulnerability, the following steps are recommended:
- Upgrade PHP: Upgrade the PHP version to 5.3.4 or later, where null byte injection protections were implemented. Ideally, upgrade to a more recent and supported version of PHP.
- Input Validation: Implement strict input validation on the
filenameparameter. Sanitize the input to remove or reject any potentially malicious characters, including null bytes and path traversal characters (e.g.,../). - Whitelist File Paths: Instead of allowing arbitrary file names, implement a whitelist of allowed file paths that can be downloaded. This will restrict the attacker’s ability to access unintended files.
- Restrict File System Permissions: Ensure the web server user has the minimum necessary permissions to access files on the system. This will limit the scope of what an attacker can read, even if they successfully exploit the vulnerability.
- Apply Vendor Patch: Contact DB Electronica for a specific patch for this vulnerability. Applying the official vendor patch is the most reliable long-term solution.
