VICIdial Unauthenticated Command Injection Vulnerability in 'vicidial_sales_viewer.php' Component

A command injection vulnerability allowing unauthenticated users to execute arbitrary operating system commands exists in VICIdial versions 2.9 RC1 prior to 2.13 RC1. The issue arises in the 'vicidial_sales_viewer.php' component when password encryption is enabled, a non-default setting. The vulnerability occurs because the application inadequately sanitizes the HTTP Basic Authentication password before passing it to a command execution function, thereby allowing remote attackers to inject and execute commands as the web server user.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the server, with the commands being executed as the web server user.

Reproduction

To reproduce this vulnerability, first ensure that VICIdial is running a vulnerable version and that password encryption is enabled. Then, send a request to 'vicidial_sales_viewer.php' with a crafted HTTP Basic Authentication password that includes the command to be executed. The injected command will be executed on the server.