(0Day) HP SiteScope UploadFilesHandler Remote Code Execution Vulnerability

2012-08-29T00:00:00
ID ZDI-12-174
Type zdi
Reporter Andrea Micalizzi aka rgod
Modified 2012-11-09T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability.

The specific flaw is a directory traversal in the UploadFilesHandler url that allows you to upload files to the server into a directory on the server that allows for scripting. This vulnerability could lead to remote code execution under the context of the current process.