| VID |
23160 |
| Severity |
30 |
| Port |
50000 |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The HP SIM service is vulnerable to a directory traversal vulnerability in the 'namazucgi' script. Hewlett-Packard Systems Insight Manager (SIM) is an unified infrastructure management tool. HP SIM versions 4.2 through 5.0 SP3 running on Microsoft Windows platforms are vulnerable to a directory traversal vulnerability, caused by improper validation of user-supplied input passed to the 'lang' parameter of the 'namazucgi' script. By sending a specially-crafted URL to the 'namazucgi' script containing "dot dot" sequences (/../) in the 'lang' parameter, a remote attacker could traverse directories on the Web server to read arbitrary files on the affected host subject to the permissions of the web server user id.
* References:
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00597967
http://www.securityfocus.com/advisories/10104
http://www.frsirt.com/english/advisories/2006/0497
http://secunia.com/advisories/18789
* Platforms Affected:
HP Systems Insight Manager 4.2 through 5.0 SP3
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of HP SIM (5.0 SP4 or later), available from the Hewlett-Packard "HP SIM - Windows" Download Web site at http://h18013.www1.hp.com/products/servers/management/hpsim/dl_windows.html
-- OR --
This vulnerability can be addressed by manually editing configuration files in the HP SIM installation, as listed in Hewlett-Packard Security Bulletin HPSBMA02096 at http://www.securityfocus.com/advisories/10104 |
| Related URL |
CVE-2006-0656 (CVE) |
| Related URL |
16571 (SecurityFocus) |
| Related URL |
(ISS) |
|
