Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671)
On April 4, 2023, Sophos published a security advisory for their Web Appliance product, which included information on CVE-2023-1671, a critical vulnerability in versions prior to 4.3.10.4. This vulnerability is a pre-auth command injection vulnerability in the warn-proceed handler, allowing execution of arbitrary code. The patch changes the system function's invocation such that the shell is no longer invoked, and user-controlled input is still processed through PHP's escapeshellarg function, which will escape and add single quotes to a shell argument. Exploitation is relatively straightforward, as the required GET and POST parameters are supplied thereafter. The full curl command to RCE is demonstrated in the text. CVEs: CVE-2023-1671 [View Article](http://www.ctfiot.com/110542.html)