HP Web Jetadmin framework.ini Password Disclosure

2004-04-27T09:42:00
ID OSVDB:5792
Type osvdb
Reporter FX(fx@phenoelit.de)
Modified 2004-04-27T09:42:00

Description

Vulnerability Description

HP Jetadmin contains a flaw that may allow a malicious user to bypass validation. The issue is triggered when the element "Framework:CheckPassword;" is left out of an HTTP POST from the variable "obj". It is possible that the flaw may allow immediate access to the function specified resulting in a loss of integrity.

Solution Description

Upgrade to version 7.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

HP Jetadmin contains a flaw that may allow a malicious user to bypass validation. The issue is triggered when the element "Framework:CheckPassword;" is left out of an HTTP POST from the variable "obj". It is possible that the flaw may allow immediate access to the function specified resulting in a loss of integrity.

References:

Vendor Specific Advisory URL Secunia Advisory ID:11536 Related OSVDB ID: 5793 Related OSVDB ID: 5798 Related OSVDB ID: 5794 Related OSVDB ID: 5796 Related OSVDB ID: 5790 Related OSVDB ID: 5791 Related OSVDB ID: 5795 Related OSVDB ID: 5797 Other Advisory URL: http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt CERT VU: 606673 Bugtraq ID: 10224