FX has reported multiple vulnerabilities in HP Web Jetadmin, where the most serious issues can be combined to compromise a vulnerable system.

1) The content of scripts can be disclosed by appending a dot (".") at the end of a requested URL.

2) The location of the file "framework.ini", which contains various critical entries (encrypted passwords, user permissions etc.), can be disclosed by viewing the source of certain HTML files. The problem is that HTML files generated by a ".HTS" script will include this information in a HTML comment line.

3) The "framework.ini" file is by default located inside the web server's root directory.

Example:
http://[victim]:8000/plugins/framework/framework.ini

4) The encryption scheme employed by the application to encrypt various account information is reportedly weak and can be easily reversed. Some of this information can e.g. then be used in replay attacks.

5) An error when handling encrypted strings can be exploited to make the application enter an infinite loop by passing a value of 0xFFFF as the length of the encrypted data. Successful exploitation freezes the service.

6) The user authentication can be bypassed when accessing the Web Jetadmin functionality. This can be exploited to perform various actions by leaving out the string "Framework:CheckPassword;" in the "obj" parameter of a HTTP POST request when accessing functions.

The vulnerabilities have been reported in version 6.5 and partly in versions 7.0, 6.2 and prior.

Solution
Update to version 7.5.

Provided and/or discovered by
FX, Phenoelit Group.

Original Advisory
HP:
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBPI01026

Phenoelit Group:
http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt

Deep Links
Links available in Customer Area