CVE-2004-1857
published 2004-03-24CVE-2004-1857: Directory traversal vulnerability in setinfo.hts in HP Web Jetadmin 7.5.2546 allows remote authenticated attackers to read arbitrary files via a .. (dot dot)…
PriorityP335low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
86.83%
99.7th percentile
Directory traversal vulnerability in setinfo.hts in HP Web Jetadmin 7.5.2546 allows remote authenticated attackers to read arbitrary files via a .. (dot dot) in the setinclude parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | web_jetadmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://<host>:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../../../boot.ini↗
urlhttps://<host>:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../auth/local.users↗
urlhttps://<host>:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../hpjwja/firmware/printer/test.inc↗
urlhttps://<host>:8443/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]conf/portlisten.conf,Listen%208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c%20net%20user%20P%20P%20/ADD")↗
- →Detect directory traversal attempts targeting the 'setinclude' parameter of setinfo.hts; look for '../' sequences in the parameter value in HTTP requests to /plugins/hpjdwm/script/test/setinfo.hts ↗
- →Monitor HTTP requests to /plugins/framework/script/tree.xms with an 'obj' parameter containing 'WriteToFile' or shell command strings (e.g., cmd.exe, net user), indicating arbitrary command execution attempts ↗
- →Flag access to sensitive files via traversal patterns in setinclude, specifically targeting boot.ini, local.users, or .inc firmware files ↗
- →This vulnerability can be chained with a firmware update file upload weakness; monitor for file uploads to the HP Web Jetadmin firmware path followed by traversal reads ↗
- ·Exploitation requires an authenticated account; unauthenticated attackers cannot directly exploit this traversal vulnerability ↗
- ·Affected version is HP Web Jetadmin 7.5.2546; detections should be scoped to this version running on Windows ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Web Jetadmin 7.5.2456 - Arbitrary Command Execution
exploitdb·2004-03-24
CVE-2004-1857 HP Web Jetadmin 7.5.2456 - Arbitrary Command Execution
HP Web Jetadmin 7.5.2456 - Arbitrary Command Execution
---
source: https://www.securityfocus.com/bid/9973/info
Reportedly HP web Jetadmin is prone to a remote arbitrary command execution vulnerability. This issue is due to a failure of the application to properly validate and sanitize user supplied input.
Successful exploitation of this issue will allow a malicious user to execute arbitrary commands on the affected system.
This issue has been tested with an authenticated account on HP Web Jetadmin version 7.5.2546 running on a Windows platform.
/plugins/hpjfpmui/script/wja_update_product.hts:
(Changed the value of obj to our DoS function)
The following proof of concept that will create a user account has been provided by H D Moore :
https://:8443/plugins/framework/script/tree.xm
Exploit-DB
HP Web Jetadmin 7.5.2456 - setinfo.hts Script Directory Traversal
exploitdb·2004-03-24
CVE-2004-1857 HP Web Jetadmin 7.5.2456 - setinfo.hts Script Directory Traversal
HP Web Jetadmin 7.5.2456 - setinfo.hts Script Directory Traversal
---
source: https://www.securityfocus.com/bid/9972/info
It has been reported that HP Web JetAdmin may be prone to a directory traversal vulnerability allowing remote attackers to access information outside the server root directory. The problem exists due to insufficient sanitization of user-supplied data passed via the 'setinclude' parameter of 'setinfo.hts' script.
This vulnerability can be combined with HP Web Jetadmin Firmware Update Script Arbitrary File Upload Weakness (BID 9971) to upload malicious files to a vulnerable server in order to gain unauthorized access to a host.
This issue has been tested with an authenticated account on HP Web Jetadmin version 7.5.2546 running on a Windows platform.
https://www.exam
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=108016019623003&w=2http://www.securityfocus.com/advisories/6492http://www.securityfocus.com/bid/9972https://exchange.xforce.ibmcloud.com/vulnerabilities/15606http://marc.info/?l=bugtraq&m=108016019623003&w=2http://www.securityfocus.com/advisories/6492http://www.securityfocus.com/bid/9972https://exchange.xforce.ibmcloud.com/vulnerabilities/15606
2004-03-24
Published