|
|
|
|
| |
Credit:
The information has been provided by Carlos Perez.
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-12-015/
|
| |
Vulnerable Systems:
* Hewlett-Packard StorageWorks P2000 G3
Authentication is not required to exploit this vulnerability.
The specific flaws exists within the web interface listening on TCP port 80. There exists a directory traversal flaw that can allow a remote attacker to view any file on the system by simply specifying it in the default URI. Additionally, the pasword file contains a default login that can be used to authenticate to the device. This can be leveraged by a remote attacker to perform any tasks an administrator is able to.
Workaround:
HP states that a patch for this vulnerability will be made available to the public "soon." Until that time, it is recommended that administrators of StorageWorks systems restrict access to the web interface on 80/tcp to authorized hosts only.
CVE Information:
CVE-2011-4788
Disclosure Timeline:
2011-06-01 - Vulnerability reported to vendor
2012-01-12 - Coordinated public release of advisory
|
|
|
|
|
