cbcvebase.
CVE-2013-4983
published 2013-09-10

CVE-2013-4983: The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote attackers to execute arbitrary…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
90.13%
99.8th percentile
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to end-user/index.php.

Affected

76 ranges· showing 25
VendorProductVersion rangeFixed in
sophosweb_appliance_firmware<= 3.7.9
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/opt/ws/bin/sblistpack
path/opt/ui/apache/htdocs/end-user/index.php
url/end-user/index.php?c=blocked&action=continue
path/opt/ws/bin/kvlistquery
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sophos Web Appliance RCE Attempt Inbound (CVE-2013-4983)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?"; content:"c=blocked"; content:"action=continue"; fast_pattern; reference:cve,2013-4983; classtype:web-application-attack; sid:2061768; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2013_4983, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requires HTTP POST to /end-user/index.php with GET parameters c=blocked and action=continue; monitor for this combination inbound to web servers.
  • The args_reason POST parameter must be set to any value other than 'filetypewarn' to trigger the vulnerable sblistpack code path; filter on this condition alongside the URI pattern.
  • Exploitation runs under the OS user 'spiderman'; look for unexpected processes (e.g., nc, bash) spawned by this user on the appliance.
  • The Metasploit module targets port 443 over SSL; network detection should inspect HTTPS POST traffic to /end-user/index.php on port 443.
  • Payload bad characters are single-quote (0x27), double-quote (0x22), and backslash (0x5c); injected commands in the domain parameter will avoid these characters.
  • ·The vulnerability is only reachable via port 80 as well as 443, because Apache's httpd.conf defines a VirtualHost at port 80 with DocumentRoot pointing to the end-user directory.
  • ·escapeshellarg() is applied to $key, $user, and $value in UsrBlocked.php before shell_exec(), so the injection point is inside the invoked Perl script sblistpack itself, not the PHP layer — perimeter WAF rules blocking shell metacharacters in POST parameters may not be sufficient if the Perl script is called directly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.