Reporter Luca Carettoni
Hopeless comments regarding the pointless
"HP System Management Homepage (SMH) Unspecified XSS"
August 25, 2008
Since HP does not provide technical details in its security bulletins, it is really
difficult to track vulnerabilities and patches.
In the last few years several Cross Site Scripting vulnerabilities were reported
against the HP System Management Homepage (SMH), however no technical details were
provided and it is still difficult to understand the real entity of this issue.
Whenever you search for information regarding this weakness in the public vulnerability
databases, you can just read tons of incomplete or overlapped descriptions.
In order to understand the essence of the problem, have a look at:
Although it is ages away from being useful, it gives a compact overview of the flaw.
This is the most useless indeed:
This document discusses three attack vectors found on the HP System Management
Cross Site scripting (XSS)
Since it is a web management console, the Cross Site Scripting vulnerability has a
medium/high impact whenever it can be exploited.
HP System Management Homepage (SMH) is prone to a XSS vulnerability because it
fails to check the input parameter used to show a generic error message.
The vulnerability affects the "message.php" script. In detail, this page uses the
If the error ID provided in the URL does not match any valid code, a generic error
is reported ("An unknown error (%INVALID_CODE%) occurred") instead.
In the first versions of the HP System Management Homepage (probably <= 2.1.1) there
is a client-side only input validation:
<--- cut here --->
// handle possible active content in the pieces of the query string
for(i=0; i<splitquery.length; i++)
splitquery[i] = unescape(splitquery[i]);
splitquery[i] = splitquery[i].replace("\<script\>", "");
splitquery[i] = splitquery[i].replace("\<\/script\>", "");
<--- cut here --->
As you can see, the validation is obviously prone to fail.
Since it is not performed a global matching but just the first occurrence is replaced,
it is trivial to bypass this control and successfully exploit the flaw.
Moreover we have to remember that multiple attack vectors without the HTML "SCRIPT" tag
exist in this situation.
In the second generation (for sure, after the version 2.1.4), finally a server side
validation was introduced. Unfortunately a simple NULL byte (%00) is enough
to bypass this checkpoint and provides the "location.search" as in the previous
The version 2.1.11 is patched against this vulnerability.
The server side validation introduced in the second generation appears to be a black-list
based filter. All HTML tags tested were blocked by the filter. However the '<BGSOUND>' tag
has not been included in the black-list and it bypasses the server-side validation.
As reported by Rsnake in his XSS Cheat Sheet,'<BGSOUND>' tag is a valid attack vector in
certain versions of Opera.
The latest version (2.1.12) has not yet been tested for this vector. Since only Opera
users are likely to be affected, the associated risk is relatively low.
According to our analysis, this is probably the most comprehensive list:
HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7 (TESTED for 2nd, 3rd vector)
HP System Management Homepage 2.1.6
HP System Management Homepage 2.1.5 (TESTED for 2nd, 3rd vector)
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2 (TESTED for 1st vector)
HP System Management Homepage 2.0.1 (TESTED for 1st vector)
HP System Management Homepage 2.0
HP HP-UX B.11.31
HP HP-UX B.11.23
HP HP-UX B.11.11
HP System Management Homepage 2.1.11
HP System Management Homepage 2.1.12 are NOT vulnerable using the 1st and 2nd vector.
Luca Carettoni (luca.carettoni[at]ikkisoft[dot]com) - http://www.ikkisoft.com/
Claudio Criscione (claudio[at]criscio[dot]net) - http://www.oversighting.com/
Lavakumar Kuppan (lavakumark[at]gmail[dot]com) - http://www.lavakumar.com/