cbcvebase.
CVE-2013-2642
published 2014-03-18

CVE-2013-2642: Sophos Web Appliance before 3.7.8.2 allows (1) remote attackers to execute arbitrary commands via shell metacharacters in the client-ip parameter to the Block…

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
7.18%
93.5th percentile
Sophos Web Appliance before 3.7.8.2 allows (1) remote attackers to execute arbitrary commands via shell metacharacters in the client-ip parameter to the Block page, when using the user_workstation variable in a customized template, and remote authenticated users to execute arbitrary commands via shell metacharacters in the (2) url parameter to the Diagnostic Tools functionality or (3) entries parameter to the Local Site List functionality.

Affected

1 ranges
VendorProductVersion rangeFixed in
sophosweb_appliance_firmware<= 3.7.8.1

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?c=diagnostic_tools
url/index.php?c=local_site_list_editor
url/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60
url/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00
url/cgi-bin/patience.cgi?id=../../log/ui_access_log%00
commandurl=%60sleep%205%60
commandentries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]
  • Detect OS command injection attempts via backtick-enclosed commands in the 'url' POST parameter to /index.php?c=diagnostic_tools
  • Detect OS command injection in the 'entries' POST parameter to /index.php?c=local_site_list_editor, look for backtick-enclosed commands within JSON url field
  • Detect unauthenticated command injection via the 'client-ip' GET parameter to /end-user/index.php when backtick characters are present; only exploitable when %%user_workstation%% variable is used in a customized Block page template
  • Monitor for path traversal attempts via null-byte injection in the 'id' parameter of /cgi-bin/patience.cgi (e.g., %00 terminator used to escape file extension)
  • Monitor Apache access logs for PHP session IDs (STYLE parameter) appearing in URLs, which can be harvested from the access log via the path traversal vulnerability to hijack admin sessions
  • Injected commands execute as OS user 'spiderman'; alert on unexpected processes spawned by this user account
  • ·The unauthenticated Block page command injection (client-ip parameter) is only exploitable when the customized Block page template uses the %%user_workstation%% variable; default templates are not affected
  • ·The authenticated command injection vectors (diagnostic_tools, local_site_list_editor) require a valid session; however, session IDs can be stolen unauthenticated via the path traversal vulnerability in patience.cgi, chaining unauthenticated access to authenticated injection
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.