cbcvebase.
CVE-2011-4166
published 2011-12-27

CVE-2011-4166: Directory traversal vulnerability in the MPAUploader.Uploader.1.UploadFiles method in HP Managed Printing Administration before 2.6.4 allows remote attackers…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
62.61%
99.1th percentile
Directory traversal vulnerability in the MPAUploader.Uploader.1.UploadFiles method in HP Managed Printing Administration before 2.6.4 allows remote attackers to create arbitrary files via crafted form data.

Affected

1 ranges
VendorProductVersion rangeFixed in
hpmanaged_printing_administration<= 2.6.3

Detection & IOCsextracted from sources · hover to see the quote

url/hpmpa/jobAcct/Default.asp
url/hpmpa/home/Default.asp
path/hpmpa/userfiles/
path..\../../wwwroot
  • Detect POST requests to /hpmpa/jobAcct/Default.asp with multipart/form-data containing directory traversal sequences (e.g., '..\..') and a null byte (\x00) in the filename field of the upload part.
  • Look for multipart form-data POST requests to /hpmpa/jobAcct/Default.asp with query parameters 'userId' and 'jobId', which are used by the exploit to trigger the vulnerable UploadFiles() function.
  • Detect HTTP responses from /hpmpa/home/Default.asp containing 'HP Managed Printing Administration' and a version string matching 'v' followed by a version number — used by the exploit's check method to fingerprint vulnerable targets.
  • Alert on file creation attempts in wwwroot subdirectories via the MPAUploader.Uploader.1 ActiveX control, particularly .asp files written through null-byte-terminated filenames (e.g., payload.asp\x00.tmp).
  • ·Exploitation requires a writable path accessible under the Internet Guest Account (IUSR_*) or Everyone, AND the path must be web-accessible (under wwwroot). Exploitation will fail if neither condition is met.
  • ·The exploit cannot overwrite an existing file with the same name as the payload; re-exploitation to the same filename will fail.
  • ·The Metasploit module targets HP Managed Printing Administration 2.6.3 and prior on Windows XP SP3 or Server 2003 SP2 specifically.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.