CVE-2013-4983
published 2013-09-10CVE-2013-4983: The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote attackers to execute arbitrary…
PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
90.13%
99.8th percentile
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to end-user/index.php.
Affected
76 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | web_appliance_firmware | <= 3.7.9 | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sophos Web Appliance RCE Attempt Inbound (CVE-2013-4983)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?"; content:"c=blocked"; content:"action=continue"; fast_pattern; reference:cve,2013-4983; classtype:web-application-attack; sid:2061768; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2013_4983, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requires HTTP POST to /end-user/index.php with GET parameters c=blocked and action=continue; monitor for this combination inbound to web servers. ↗
- →The args_reason POST parameter must be set to any value other than 'filetypewarn' to trigger the vulnerable sblistpack code path; filter on this condition alongside the URI pattern. ↗
- →Exploitation runs under the OS user 'spiderman'; look for unexpected processes (e.g., nc, bash) spawned by this user on the appliance. ↗
- →The Metasploit module targets port 443 over SSL; network detection should inspect HTTPS POST traffic to /end-user/index.php on port 443. ↗
- →Payload bad characters are single-quote (0x27), double-quote (0x22), and backslash (0x5c); injected commands in the domain parameter will avoid these characters. ↗
- ·The vulnerability is only reachable via port 80 as well as 443, because Apache's httpd.conf defines a VirtualHost at port 80 with DocumentRoot pointing to the end-user directory. ↗
- ·escapeshellarg() is applied to $key, $user, and $value in UsrBlocked.php before shell_exec(), so the injection point is inside the invoked Perl script sblistpack itself, not the PHP layer — perimeter WAF rules blocking shell metacharacters in POST parameters may not be sufficient if the Perl script is called directly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Sophos Web Appliance RCE Attempt Inbound (CVE-2013-4983)
suricata·2025-04-21·CVSS 10.0
CVE-2013-4983 [CRITICAL] ET EXPLOIT Sophos Web Appliance RCE Attempt Inbound (CVE-2013-4983)
ET EXPLOIT Sophos Web Appliance RCE Attempt Inbound (CVE-2013-4983)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sophos Web Appliance RCE Attempt Inbound (CVE-2013-4983)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?"; content:"c=blocked"; content:"action=continue"; fast_pattern; reference:cve,2013-4983; classtype:web-application-attack; sid:2061768; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2013_4983, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Applicat
Exploit-DB
Sophos Web Protection Appliance - 'sblistpack' Arbitrary Command Execution (Metasploit)
exploitdb·2013-09-17
CVE-2013-4983 Sophos Web Protection Appliance - 'sblistpack' Arbitrary Command Execution (Metasploit)
Sophos Web Protection Appliance - 'sblistpack' Arbitrary Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Sophos Web Protection Appliance sblistpack Arbitrary Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability on Sophos Web Protection Appliance
3.7.9, 3.8.0 and 3.8.1. The vulnerability exists on the sblistpack component, reachable
from the web interface without authentication. This module has been tested successfully
on Sophos Virtual Web Appliance 3.7.0.
},
'Author' =>
[
'Francisco Fal
Exploit-DB
Sophos Web Protection Appliance - Multiple Vulnerabilities
exploitdb·2013-09-09·CVSS 10.0
CVE-2013-4984 [CRITICAL] Sophos Web Protection Appliance - Multiple Vulnerabilities
Sophos Web Protection Appliance - Multiple Vulnerabilities
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Sophos Web Protection Appliance Multiple Vulnerabilities
1. *Advisory Information*
Title: Sophos Web Protection Appliance Multiple Vulnerabilities
Advisory ID: CORE-2013-0809
Advisory URL:
http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities
Date published: 2013-09-06
Date of last update: 2013-09-06
Vendors contacted: Sophos
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78], OS command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-4983, CVE-2013-4984
3. *Vulnerability Descript
Metasploit
Sophos Web Protection Appliance sblistpack Arbitrary Command Execution
metasploit
Sophos Web Protection Appliance sblistpack Arbitrary Command Execution
Sophos Web Protection Appliance sblistpack Arbitrary Command Execution
This module exploits a command injection vulnerability on Sophos Web Protection Appliance 3.7.9, 3.8.0 and 3.8.1. The vulnerability exists on the sblistpack component, reachable from the web interface without authentication. This module has been tested successfully on Sophos Virtual Web Appliance 3.7.0.
No writeups or analysis indexed.
http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilitieshttp://www.sophos.com/en-us/support/knowledgebase/119773.aspxhttp://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilitieshttp://www.sophos.com/en-us/support/knowledgebase/119773.aspx
2013-09-10
Published