Vaelsys V4 Platform Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in Vaelsys V4.1.0. The issue arises in the file '/tree/tree_server.php' within the HTTP POST Request Handler component. The vulnerability is caused by improper validation and sanitization of the 'xajaxargs' parameter, which allows attackers to inject OS commands that are executed on the server. This flaw can be exploited without authentication, and the vendor has not responded to disclosure attempts.

Impact

Exploitation of this vulnerability allows for remote code execution on the server. Injected commands are executed with the privileges of the web server user, such as 'nginx', potentially leading to unauthorized access to sensitive files and the creation of persistent backdoors. Additionally, the compromised server can be used to attack other internal network assets.

Reproduction

To reproduce this vulnerability, send a POST request to '/tree/tree_server.php' with the 'xajaxargs' parameter. Include a payload that injects a command, such as one that writes a PHP file to the server. The injected file can then be accessed to confirm successful exploitation.

Remediation

No specific mitigation is known, but it is recommended to replace the affected product with an alternative.