HP StorageWorks Modular Smart Array P2000 G3 Web Interface Directory Traversal Vulnerability


Description   A vulnerability has been reported in HP StorageWorks Modular Smart Array P2000, which can be exploited by malicious people to disclose sensitive information.
Certain input passed to the web interface is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.
The vulnerability is reported in HP StorageWorks Modular Smart Array P2000 G3 running firmware versions prior to TS230P008.
     
Vulnerable Products   Vulnerable OS:
HP StorageWorks Modular Smart Array P2000Vulnerable Software:
     
Solution   Update to firmware version TS230P008.
     
CVE   CVE-2011-4788
     
References   HPSBST02735 SSRT100516:
http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03153338
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-015/
US-CERT VU#885499:
http://www.kb.cert.org/vuls/id/885499
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2012-01-16 

 Target Type 
Server 

 Possible exploit 
Local