CVE-2016-9554
published 2017-01-28CVE-2016-9554: The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web…
PriorityP260high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
24.45%
97.6th percentile
The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | web_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to /index.php?c=diagnostic_tools containing the parameters 'action=wget', 'section=configuration', and a 'url' field with backtick-enclosed command injection payloads (e.g., url=htt%3a%2f%2f...`<cmd>`). ↗
- →Monitor for creation and execution of ELF binaries dropped to /tmp/m or /tmp/n on Sophos Web Appliance hosts, particularly following web server process activity. ↗
- →Alert on processes spawned under the 'spiderman' user account on Sophos Web Appliance systems, as successful exploitation yields a shell under this account. ↗
- →Detect POST requests to /index.php?c=login followed shortly by POST requests to ?c=diagnostic_tools from the same source IP, indicating the two-stage exploit authentication + command injection flow. ↗
- →Inspect the 'url' POST parameter in requests to the diagnostic_tools controller for URL-encoded backtick characters (%60) or shell metacharacters indicating command injection attempts. ↗
- ·The exploit requires prior authentication to the administrative interface (post-auth vulnerability); unauthenticated exploitation is not possible. Detection should account for the login step preceding the injection. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Sophos Web Appliance Remote/Secure Web Gateway Server up to 4.2.1.3 Web Admin Interface MgrDiagnosticTools.php exec $this->dtObj->executeCommand) command injection (EDB-41414 / Nessus ID 100846)
vuldb·2026-05-16·CVSS 7.2
CVE-2016-9554 [HIGH] Sophos Web Appliance Remote/Secure Web Gateway Server up to 4.2.1.3 Web Admin Interface MgrDiagnosticTools.php exec $this->dtObj->executeCommand) command injection (EDB-41414 / Nessus ID 100846)
A vulnerability categorized as critical has been discovered in Sophos Web Appliance Remote and Secure Web Gateway Server up to 4.2.1.3. Impacted is the function exec of the file /controllers/MgrDiagnosticTools.php of the component Web Admin Interface. Executing a manipulation of the argument $this->dtObj->executeCommand) can lead to command injection.
The identification of this vulnerability is CVE-2016-9554. The attack may be launched remotely. Furthermore, there is an exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-h9p6-824j-f26j: The Sophos Web Appliance Remote / Secure Web Gateway server (version 4
ghsa_unreviewed·2022-05-17
CVE-2016-9554 [HIGH] CWE-77 GHSA-h9p6-824j-f26j: The Sophos Web Appliance Remote / Secure Web Gateway server (version 4
The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to th
No detection rules found.
No writeups or analysis indexed.
http://pastebin.com/UB8Ye6ZUhttp://www.securityfocus.com/bid/95858https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1http://pastebin.com/UB8Ye6ZUhttp://www.securityfocus.com/bid/95858https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1
2017-01-28
Published