HP SiteScope contains vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information and execute arbitrary code on a targeted system.
A vulnerability in the getSiteScopeConfiguration
operation of the APISiteScopeImpl AXIS
service is due to insufficient authentication restrictions performed while handling the SOAP request. This error could allow an attacker to access sensitive information, such as administrator credentials.
Another vulnerability is in the UploadManagerServlet
due to insufficient checks performed while uploading files. This error could allow upload of an arbitrary payload embedded in a JSP and cause memory corruption.
An unauthenticated, remote attacker could exploit these vulnerabilities by sending a crafted SOAP request to the targeted system. Successful exploitation could allow an attacker to access sensitive information and execute arbitrary code on the system.
Proof-of-concept code is available as part of the Metasploit framework.
HP has confirmed these vulnerabilities and released software updates.
Administrators are advised to apply the appropriate updates.
HP has released security bulletin c03489683 for the registered user at the following link: HPSBMU02815 SSRT100715
HP has released updated software at the following links:
HP has released patches at the following links: