HP LoadRunner is a software performance testing solution. HP LoadRunner includes the
**lrFileIOService** ActiveX control.
HP LoadRunner before 11.52 is vulnerable to remote code execution. The
**lrFileIOService** ActiveX control exposes the
**WriteFileString** method which does not properly sanitize user supplied input. A remote attacker who persuades a user to open a crafted web page containing directory traversal style attacks (e.g. '../../') can write a file to an arbitrary location, thereby possibly resulting in code execution.
Upgrade to HP LoadRunner 11.52 or higher as indicated in HP Security Bulletin HPSBGN02905 SSRT101083.
This exploit was tested against HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn). The user must open the exploit in Internet Explorer.