ISS X-Force Database: hp-system-managemenet-homepage-dir-traversal(24996): HP System Management Homepage unspecified directory traversal

HP System Management Homepage unspecified directory traversal

hp-system-managemenet-homepage-dir-traversal (24996)

Medium Risk

Description:

HP System Management Homepage could allow a remote attacker to traverse directories on the Web server. A remote attacker could send a specially-crafted URL request to traverse directories and view arbitrary files outside of the Web root directory.

Platforms Affected:

HP, System Management Homepage 2.0.0
HP, System Management Homepage 2.0.1
HP, System Management Homepage 2.0.2
HP, System Management Homepage 2.1
HP, System Management Homepage 2.1.1
HP, System Management Homepage 2.1.2
HP, System Management Homepage 2.1.3
HP, System Management Homepage 2.1.4

Remedy:

Refer to Hewlett-Packard Company Security Bulletin HPSBMA02099 SSRT061118 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Obtain Information

References:

Hewlett-Packard Company Security Bulletin HPSBMA02099 SSRT061118 rev.1, HP System Management Homepage (SMH) Running on Windows: Remote Unauthorized Access at http://itrc.hp.com/service/cki/docDisplay.do?docId=c00601530.
HP System Management Homepage Web site, HP.com - Management - HP System Management Homepage v2.0 - Overview & Features at http://h18004.www1.hp.com/products/servers/management/agents/.
BID-16876: HP System Management Homepage Unspecified Directory Traversal Vulnerability
CVE-2006-1023: Directory traversal vulnerability in HP System Management Homepage (SMH) 2.0.0 through 2.1.4 on Windows allows remote attackers to access certain files via unspecified vectors.
SA19059: HP System Management Homepage Directory Traversal
SECTRACK ID: 1015692: HP System Management Homepage Unspecified Bug Lets Remote Users Traverse the Directory
VUPEN/ADV-2006-0769: HP System Management Homepage Directory Traversal Vulnerability

Reported:

Feb 28, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page