HP Web JetAdmin obj Variable XSS

2004-04-27T00:00:00
ID OSVDB:5796
Type osvdb
Reporter FX(fx@phenoelit.de)
Modified 2004-04-27T00:00:00

Description

Vulnerability Description

HP JetAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "obj" variables when accessing functions. This could allow a user to create a specially crafted HTTP POST request that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 7.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

HP JetAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "obj" variables when accessing functions. This could allow a user to create a specially crafted HTTP POST request that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.hp.com/ Vendor Specific Advisory URL Secunia Advisory ID:11536 Related OSVDB ID: 5793 Related OSVDB ID: 5798 Related OSVDB ID: 5792 Related OSVDB ID: 5794 Related OSVDB ID: 5790 Related OSVDB ID: 5791 Related OSVDB ID: 5795 Related OSVDB ID: 5797 Other Advisory URL: http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt Nessus Plugin ID:12227 Keyword: HPSBPI01026 Keyword: SSRT2397 CIAC Advisory: o-136 Bugtraq ID: 10224