Unauthenticated arbitrary file upload and command execution in Vembu products

An attacker can exploit this vulnerability by sending a crafted HTTP request to the `/sgwebservice_o.php` endpoint with the `Action` parameter set to `logFilePath`. The `path` parameter specifies the file path where the content will be written, and the `value` parameter contains the data to be written. This allows an attacker to write arbitrary files in the context of the web server process, which can then be executed remotely by calling the file via the web server [ref_id=1].

The vulnerability lies within the http API located at `/sgwebservice_o.php` specifically when the `Action` parameter is set to `logFilePath`. This function allows for arbitrary file writes by controlling the `path` and `value` parameters in the request [ref_id=1].

The advisory indicates that VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 are affected. The recommended remediation is to upgrade to versions 4.2.0.1 or later. The patch details are not provided in the bundle, but upgrading the software is expected to address the vulnerability by implementing proper input validation or access controls for the `logFilePath` API.

Step 1: Start up a docker environment (see below). Step 2: In a different terminal run the following command: $ curl 'http://localhost:6060/sgwebservice_o.php?Action=logFilePath&path=./my_php_info.php&value=%3C%3Fphp%20phpinfo%28%29%20%3F%3E%0A' Step 3: Validate that a file was written: $ docker exec VembuBDR4201 /bin/bash -c "cd /home/vembubdr/Vembu/VembuBDR/htmlgui;ls [ref_id=1]