HP StorageWorks Default Accounts and Directory Traversal Vulnerabilities

Bugtraq ID:	51399
Class:	Design Error
CVE:	CVE-2011-4788 CVE-2012-0697
Remote:	Yes
Local:	No
Published:	Jan 12 2012 12:00AM
Updated:	Feb 20 2012 08:10PM
Credit:	Carlos Perez at Tenable Network Security
Vulnerable:	HP StorageWorks P2000 G3
Not Vulnerable:

HP StorageWorks Default Accounts and Directory Traversal Vulnerabilities

HP StorageWorks is prone to a security-bypass vulnerability and a directory-traversal vulnerability.

An attacker could exploit these issues to access arbitrary files on the affected computer, or gain administrative access to the affected application. This may aid in the compromise of the underlying computer.

HP StorageWorks P2000 G3 is affected.

HP StorageWorks Default Accounts and Directory Traversal Vulnerabilities

An attacker can use a browser to exploit these issues.

HP StorageWorks Default Accounts and Directory Traversal Vulnerabilities

Solution:
The vendor released an update to address this issue. Please see the references for more information.

HP StorageWorks Default Accounts and Directory Traversal Vulnerabilities

References:

• HP StorageWorks (HP)
  
• HP StorageWorks Product page (HP)
  
• ZDI-12-015: (0Day) HP StorageWorks P2000 G3 Directory Traversal and Default Acco (TippingPoint Zero Day Initiative)
  
• HP StorageWorks P2000 G3 directory traversal vulnerability (US-CERT)