Vulnerability Note VU#885499

HP StorageWorks P2000 G3 directory traversal vulnerability

Original Release date: 20 Feb 2012 | Last revised: 02 Mar 2012

Overview

HP StorageWorks P2000 G3 contains a directory traversal vulnerability which may allow a remote, unauthenticated attacker to obtain sensitive information.

Description

HP StorageWorks P2000 G3 contains an embedded webserver which is vulnerable to a directory traversal vulnerability which may allow a remote, unauthenticated attacker to obtain sensitive information.

This vulnerability was also reported to ZDI by another researcher and was disclosed publicly.

Impact

A remote unauthenticated attacker could obtain sensitive information.

Solution

Apply Update

The vendor has reported this issue has been addressed in the TS230P008 firmware.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a HP StorageWorks P2000 G3 using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected18 Nov 201102 Mar 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Thomas Leonardo of The Cooperative Bank for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2011-4788
  • Date Public: 13 Jan 2012
  • Date First Published: 20 Feb 2012
  • Date Last Updated: 02 Mar 2012
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.