cbcvebase.
CVE-2013-2641
published 2014-03-18

CVE-2013-2641: Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter.

PriorityP355medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
70.99%
99.3th percentile
Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
sophosweb_appliance_firmware<= 3.7.8.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/patience.cgi
url/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00
url/cgi-bin/patience.cgi?id=../../log/ui_access_log%00
path../../persist/config/shared.conf
path../../log/ui_access_log
  • Detect directory traversal attempts against patience.cgi via the 'id' parameter containing '../' sequences, especially with null byte (%00) termination
  • Monitor HTTP access logs for requests to /cgi-bin/patience.cgi with 'id' parameter values containing '%2e%2e' or '../' path traversal patterns
  • PHP session IDs (parameter 'STYLE') are transmitted via URL rather than cookies; monitor Apache access logs for session ID exposure that could enable session hijacking following file disclosure
  • Alert on unauthenticated GET requests to /cgi-bin/patience.cgi with null byte (%00) in query string parameters, indicating traversal with null byte injection to bypass extension checks
  • ·The traversal payload uses a null byte (%00) to terminate the filename, which may be filtered or logged differently depending on the web server or WAF configuration — ensure null byte handling is accounted for in detection rules
  • ·The Metasploit module was tested on Sophos Web Virtual Appliance v3.7.0; the vulnerability affects versions before 3.7.8.2, so detection should cover the full affected version range
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.