Unauthenticated remote command execution in Vembu products

An unauthenticated attacker can send a crafted HTTP request to the `/sgwebservice_o.php` endpoint. By providing a malicious command in the `command` argument, the attacker can achieve arbitrary shell command execution on the affected system. The reference write-up provides an example using `curl` to execute `echo hacked > /tmp/divd_was_here.txt` [ref_id=1].

The vulnerability lies within the http API located at `/sgwebservice_o.php` in VembuBDR and VembuOffsiteDR products. Specifically, the `command` argument accepted by this API is not properly validated, leading to the vulnerability [ref_id=1].

The advisory does not specify the exact fix implemented. However, it indicates that VembuBDR and VembuOffsiteDR versions before 4.2.0.1 are affected. Users are advised to upgrade to version 4.2.0.1 or later to remediate this vulnerability.

Step 1: Start up a docker environment (see below). Step 2: In a different terminal run the following command: > $ curl 'http://127.0.0.1:6060/sgwebservice_o.php?Action=StoreSpecialFolder&command=echo%20hacked%20%3E%2Ftmp%2Fdivd_was_here.txt&tempFile=/tmp'

<storegrid><saved messsage='Files filtered and cached successfully.Now You can continue your schedule..' error='0'></saved></storegrid>$ Step 3: validate that a file was written in /tmp: [ref_id=1]