Sophos Web Protection Appliance sblistpack Command Injection Exploit

The /opt/ws/bin/sblistpack Perl script in Sophos Web Protection Appliance, which can be reached from the web interface, is vulnerable to OS command injection because its get_referers() function does not escape the first argument of the script before using it within a string that will be executed as a command by using backticks. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary code in the affected appliance with the privileges of the "spiderman" operating system user. A second vulnerability in the Sophos Web Protection Appliance (an OS command injection in the /opt/cma/bin/ script, which can be executed by the "spiderman" user with the sudo command without password) allows an attacker who successfully compromised the appliance to escalate privileges from "spiderman" to root.
Exploit type: 
Vulnerabilty ID: 
Product Version: 
2013 R1
Released Date: 
Saturday, September 7, 2013 - 00:00