CVE-2013-2641
published 2014-03-18CVE-2013-2641: Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter.
PriorityP355medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
70.99%
99.3th percentile
Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | web_appliance_firmware | <= 3.7.8.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts against patience.cgi via the 'id' parameter containing '../' sequences, especially with null byte (%00) termination ↗
- →Monitor HTTP access logs for requests to /cgi-bin/patience.cgi with 'id' parameter values containing '%2e%2e' or '../' path traversal patterns ↗
- →PHP session IDs (parameter 'STYLE') are transmitted via URL rather than cookies; monitor Apache access logs for session ID exposure that could enable session hijacking following file disclosure ↗
- →Alert on unauthenticated GET requests to /cgi-bin/patience.cgi with null byte (%00) in query string parameters, indicating traversal with null byte injection to bypass extension checks ↗
- ·The traversal payload uses a null byte (%00) to terminate the filename, which may be filtered or logged differently depending on the web server or WAF configuration — ensure null byte handling is accounted for in detection rules ↗
- ·The Metasploit module was tested on Sophos Web Virtual Appliance v3.7.0; the vulnerability affects versions before 3.7.8.2, so detection should cover the full affected version range ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities
exploitdb·2013-04-08·CVSS 5.0
CVE-2013-2643 [MEDIUM] Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities
Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities
---
SEC Consult Vulnerability Lab Security Advisory
title: Multiple vulnerabilities
product: Sophos Web Protection Appliance
vulnerable version: /cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00
Furthermore the Apache access log can be retrieved. As PHP session IDs are
passed via the URL rather than via Cookies, these can be found in this log
file and effectively used to impersonate administrator users:
https:///cgi-bin/patience.cgi?id=../../log/ui_access_log%00
An excerpt from the log file shows that it contains PHP session ID information
(parameter "STYLE").
- - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139
"https:///index.php?section=configuration&c=configuration&STYLE=8514d0
Metasploit
Sophos Web Protection Appliance patience.cgi Directory Traversal
metasploit
Sophos Web Protection Appliance patience.cgi Directory Traversal
Sophos Web Protection Appliance patience.cgi Directory Traversal
This module abuses a directory traversal in Sophos Web Protection Appliance, specifically on the /cgi-bin/patience.cgi component. This module has been tested successfully on the Sophos Web Virtual Appliance v3.7.0.
No writeups or analysis indexed.
http://www.sophos.com/en-us/support/knowledgebase/118969.aspxhttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txthttp://www.sophos.com/en-us/support/knowledgebase/118969.aspxhttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt
2014-03-18
Published