HP Web JetAdmin Multiple Vulnerabilities
http://secunia.com/advisories/11213/
Secunia Advisory: SA11213
Release Date: 2004-03-25
Critical:
Moderately critical
Impact: System access
Where: From local network
Software: HP Web Jetadmin 7.x
Description:
Some vulnerabilities have been reported in HP Web JetAdmin, allowing malicious people to compromise a vulnerable system.
1) It is possible to upload HTS files using "/plugins/hpjwja/script/devices_update_printer_fw_upload.hts". Uploaded files will be placed in "/plugins/hpjwja/firmware/printer/".
2) Input to the "setinclude" parameter in "/plugins/hpjdwm/script/test/setinfo.hts" isn't properly verified. This can be exploited to read arbitrary files and execute arbitrary HTS files by conducting a directory traversal attacks using the classic "../" character sequence.
3) It is possible to inject commands, which will be executed when the service is restarted. An example has been provided, which adds a new administrative user:
/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]
conf/portlisten.conf,Listen%208000%0A%0DAccessLog%20"|../../../../../../
winnt/system32/cmd.exe%20/c%20net%20user%20P%20P%20/ADD")
The vulnerabilities have been reported in version 7.5.2546 and prior.
Solution:
Restrict access to ensure that only trusted users can connect to the service.
Provided and/or discovered by:
1 and 2 reported by wirepair
3 reported by H D Moore