CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
99.0%
The remote HP Web JetAdmin suffers from a number of vulnerabilities. The
current running version is vulnerable to a directory traversal attack via the setinfo.hts script.
# SPDX-FileCopyrightText: 2004 wirepair
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
# Tested only on HP Web JetAdmin Version 7.5.2546 checks a file just outside
# of web root. I didn't want it to check for boot.ini in case its installed on
# a separate drive then we'll get a false positive... -wirepair
CPE = "cpe:/a:hp:web_jetadmin";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.12120");
script_version("2023-08-01T13:29:10+0000");
script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_cve_id("CVE-2004-1857");
script_tag(name:"cvss_base", value:"2.1");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:P/I:N/A:N");
script_xref(name:"IAVA", value:"2004-B-0007");
script_name("HP Jet Admin 7.x Directory Traversal");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2004 wirepair");
script_family("Web Servers");
script_dependencies("gb_hp_web_jetadmin_detect.nasl");
script_require_ports("Services/www", 8000);
script_mandatory_keys("HpWebJetadmin/installed");
script_tag(name:"solution", value:"To set a password for the HP Web Jet Admin service follow these steps:
1. In the navigation menu select General Settings, and expand the tree.
2. Expand Profiles Administration
3. Select Add/Remove Profiles
4. In the User Profiles page, if a password has not been set, select the
'Note: To enable security features, an Admin password must be set.' link.
5. Set an administrator password.
It is strongly recommended that access be restricted by IP Addresses:
1. Expand the General Settings tree.
2. Select the HTTP (Web) branch.
3. Under the 'Allow HP Web Jetadmin Access' add your administration IP host or
range. HP Also recommends removing all files that are included in the test
directory. On a default installation this would be in the directory
C:\Program Files\HP Web Jetadmin\doc\plugins\hpjdwm\script\");
script_tag(name:"summary", value:"The remote HP Web JetAdmin suffers from a number of vulnerabilities. The
current running version is vulnerable to a directory traversal attack via the setinfo.hts script.");
script_tag(name:"impact", value:"A remote attacker can access files by requesting the
following string:
/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../hptrace.ini");
script_xref(name:"URL", value:"http://sh0dan.org/files/hpjadmadv.txt");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/9973");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"Mitigation");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");
if( ! port = get_app_port( cpe:CPE ) )
exit( 0 );
if( ! get_app_location( port:port, cpe:CPE, nofork:TRUE ) ) # nb: To have a reference to the Detection-VT
exit( 0 );
url = "/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../hptrace.ini";
req = http_get( item:url, port:port );
res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
if( isnull( res ) ) exit( 0 );
if( res =~ "^HTTP/1\.[01] 200" && "traceLogfile=" >< res ) {
report = http_report_vuln_url( port:port, url:url );
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );