cbcvebase.
CVE-2013-4811
published 2013-09-16

CVE-2013-4811: UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM)…

PriorityP178critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.29%
99.3th percentile
UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the adCert argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.

Affected

3 ranges
VendorProductVersion rangeFixed in
hpidentity_driven_manager
hpprocurve_manager
hpprocurve_manager

Detection & IOCsextracted from sources · hover to see the quote

url/RegWeb/RegWeb/UpdateDomainControllerServlet
url/RegWeb/RegWeb/GetDomainControllerServlet
url/RegWeb/html/snac/index.html
port443
commandform-data; name="adCert"; filename="\../#{jsp_name}"
path/RegWeb/<jsp_name>
  • Detect POST requests to the UpdateDomainControllerServlet endpoint with multipart/form-data containing a path traversal sequence in the adCert filename parameter (e.g., '\../' prefix before a .jsp filename).
  • Alert on HTTP responses from /RegWeb/RegWeb/UpdateDomainControllerServlet that do NOT contain 'success:false', as a successful upload returns HTTP 200 without that string.
  • Flag HTTP GET requests to /RegWeb/*.jsp where the JSP filename matches a random alphanumeric pattern (8–15 chars) immediately after a POST to UpdateDomainControllerServlet — this is the webshell execution step.
  • Look for the Apache-Coyote server banner on the target, which is used by the exploit module to fingerprint the vulnerable HP ProCurve SNAC server.
  • Monitor for .jsp files written into the /RegWeb/ web root directory on Windows hosts running HP ProCurve Manager SNAC Server, as the path traversal deposits the payload there.
  • ·Binary writes are not permitted by the vulnerable servlet; the exploit payload must be text-safe (ARCH_JAVA is used specifically because Java payloads are text-encodable).
  • ·The exploit requires SSL (HTTPS on port 443); plain HTTP traffic to this endpoint would not represent exploitation of this CVE via the known public module.
  • ·Authentication bypass is part of the attack chain — the session cookie obtained from /RegWeb/html/snac/index.html is sufficient to reach the upload endpoint without valid credentials.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.