NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2006-q2

[SA19529] HP Color LaserJet 2500/4600 Toolbox Disclosure of Sensitive Information

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Wed Apr 05 2006 - 08:32:05 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
HP Color LaserJet 2500/4600 Toolbox Disclosure of Sensitive
Information

SECUNIA ADVISORY ID:
SA19529

VERIFY ADVISORY:
http://secunia.com/advisories/19529/

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information

WHERE:
From local network

SOFTWARE:
HP Color LaserJet 2500 Toolbox 3.x
http://secunia.com/product/9172/
HP Color LaserJet 4600 Toolbox 3.x
http://secunia.com/product/9173/

DESCRIPTION:
Richard Horsman has reported a vulnerability in the HP Color LaserJet
2500 Toolbox and HP Color LaserJet 4600 Toolbox software, which can be
exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to an input validation error in the
built-in HTTP server. This can be exploited to disclose the contents
of arbitrary files via directory traversal attacks.

Example:
http://[host]:5225/../../../[file]

SOLUTION:
Update to version 3.1.

HP Color LaserJet 2500 Toolbox:
http://www.hp.com/go/clj2500_software

HP Color LaserJet 4600 Toolbox:
http://www.hp.com/go/clj4600_software

PROVIDED AND/OR DISCOVERED BY:
Richard Horsman

ORIGINAL ADVISORY:
HPSBPI2109 SSRT061141:
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00634759

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]