HP Web Jetadmin Script Source Disclosure

2004-04-27T09:42:00
ID OSVDB:5790
Type osvdb
Reporter FX(fx@phenoelit.de)
Modified 2004-04-27T09:42:00

Description

Vulnerability Description

HP Jetadmin contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a dot (.) is added to the end of a requested URL, which will disclose the contents of the requested script, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 7.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds

Short Description

HP Jetadmin contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a dot (.) is added to the end of a requested URL, which will disclose the contents of the requested script, resulting in a loss of confidentiality.

Manual Testing Notes

Example: http://server:8000/plugins/hpjwja/script/devices_list.hts.

References:

Vendor URL: http://www.hp.com Vendor Specific Advisory URL Secunia Advisory ID:11536 Related OSVDB ID: 5793 Related OSVDB ID: 5798 Related OSVDB ID: 5792 Related OSVDB ID: 5794 Related OSVDB ID: 5796 Related OSVDB ID: 5791 Related OSVDB ID: 5795 Related OSVDB ID: 5797 Other Advisory URL: http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt Nessus Plugin ID:12227 ISS X-Force ID: 15980 CERT VU: 606673 Bugtraq ID: 10224