CVE-2016-9553

Name of the Vulnerable Software and Affected Versions Sophos Web Appliance version 4.2.1.3

Description The issue affects the web administrative interface of the Sophos Web Appliance, specifically in the MgrReport.php component, which handles blocking and unblocking IP addresses. The problem arises from the improper escaping of information passed in the unblockip and blockip variables before they are used in the shell exec() function, allowing system commands to be injected. This occurs despite the variable name escapedips suggesting protection.

Recommendations For Sophos Web Appliance version 4.2.1.3, as a temporary workaround, consider restricting access to the MgrReport.php component, specifically the /controllers/MgrReport.php endpoint, to minimize the risk of exploitation. Avoid using the unblockip and blockip variables in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.