cbcvebase.
CVE-2005-2847
published 2005-09-08

CVE-2005-2847: img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f…

PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.37%
98.9th percentile
img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
barracuda_networksbarracuda_spam_firewall
barracuda_networksbarracuda_spam_firewall

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/img.pl
port8000
url/cgi-bin/img.pl?f=%2e%2e/etc/hosts
command../bin/sh -c "echo 'YYY';<cmd>;echo 'YYY'"|
url/cgi-bin/img.pl?f=../../../../../../../../../../etc/hosts
command../../../../../../../../../../bin/sh -c "echo 'YYY'; <payload>; echo 'YYY'"|
  • Detect path traversal attempts against /cgi-bin/img.pl via the 'f' parameter containing '../' sequences or URL-encoded equivalents (%2e%2e) targeting /etc/hosts or /bin/sh.
  • Detect shell metacharacter injection in the 'f' parameter of img.pl, specifically pipe characters ('|') combined with shell command strings such as '/bin/sh -c'.
  • Exploit check requests use the 'f' parameter with repeated '../' (8 times) to traverse to /etc/hosts; a 200 response containing 'localhost' or '127.0.0.1' confirms vulnerability.
  • Command output from the server is delimited by the string 'YYY'; monitor HTTP responses from /cgi-bin/img.pl containing 'YYY' as a sign of successful exploitation.
  • Requests to port 8000 targeting /cgi-bin/img.pl with traversal or shell metacharacters in the 'f' GET parameter should be flagged; default exploit port is 8000.
  • ·Vulnerable firmware versions are 3.1.16 and 3.1.17; version 3.1.18 and later are not affected. Scope detection rules to these specific versions where version fingerprinting is available.
  • ·The exploit default port is 8000, but SSL may also be used; detection rules should account for both HTTP and HTTPS on non-standard ports.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.