HP Web JetAdmin Multiple Vulnerabilities

http://secunia.com/advisories/11213/

Secunia Advisory: SA11213
Release Date: 2004-03-25


Critical:
Moderately critical
Impact: System access

Where: From local network



Software: HP Web Jetadmin 7.x

Description:
Some vulnerabilities have been reported in HP Web JetAdmin, allowing malicious people to compromise a vulnerable system.

1) It is possible to upload HTS files using "/plugins/hpjwja/script/devices_update_printer_fw_upload.hts". Uploaded files will be placed in "/plugins/hpjwja/firmware/printer/".

2) Input to the "setinclude" parameter in "/plugins/hpjdwm/script/test/setinfo.hts" isn't properly verified. This can be exploited to read arbitrary files and execute arbitrary HTS files by conducting a directory traversal attacks using the classic "../" character sequence.

3) It is possible to inject commands, which will be executed when the service is restarted. An example has been provided, which adds a new administrative user:

/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]
conf/portlisten.conf,Listen%208000%0A%0DAccessLog%20"|../../../../../../
winnt/system32/cmd.exe%20/c%20net%20user%20P%20P%20/ADD")

The vulnerabilities have been reported in version 7.5.2546 and prior.


Solution:
Restrict access to ensure that only trusted users can connect to the service.


Provided and/or discovered by:
1 and 2 reported by wirepair
3 reported by H D Moore