The following image displays the code for a command injection vulnerability in the function main of upload_file.cgi. The program receives the attacker's GET request through the getenv function at line 61, obtains the value of the first field through the code at line 69, and concatenates it into a formatted string using the snprintf function. Finally, the systemfunction is used to execute the system command. Because the attacker's input is not filtered, any command can be executed.
Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.
The vendor was contacted early about this disclosure but did not respond in any way.