Vaelsys V4 Command Injection Vulnerability in v4.1.0

A critical vulnerability allowing OS command injection has been identified in Vaelsys version 4.1.0. The issue arises in the 'execute_DataObjectProc' function within '/grid/vgrid_server.php', where the 'xajaxargs' argument can be manipulated to inject malicious payloads. This vulnerability can be exploited remotely without authentication, although a valid PHP session ID is required.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the server where Vaelsys is running.

Reproduction

To reproduce this vulnerability, send a POST request to '/grid/vgrid_server.php' with the 'xajax' parameter set to 'execute_DataObjectProc'. Include 'auth' and 'testConnectivity' in the 'xajaxargs' parameter. The injection payload should be crafted to exploit the command execution vulnerability, such as by appending a command to be executed, like 'ls', in a way that the application does not properly sanitize the input before execution.