| New User, Welcome! Login |
Next Page >>
Home Page
=====================================================================================
Hopeless comments regarding the pointless
"HP System Management Homepage (SMH) Unspecified XSS"
August 25, 2008
=====================================================================================
[Overview]
Since HP does not provide technical details in its security bulletins, it is really
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02029444
Version: 1
HPSBMA02492 SSRT100079 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-04-20
Last Updated: 2010-04-20
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02000727
Version: 1
HPSBMA02504 SSRT090220 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-03
Last Updated: 2010-02-03
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01183597
Version: 1
HPSBMA02275 SSRT071445 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-10-03
Last Updated: 2007-10-03
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02171256
Version: 1
HPSBMA02534 SSRT090180 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Unauthorized Information Disclosure, Unauthorized Data Modification, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-05-17
Last Updated: 2010-05-17
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01118771
Version: 1
HPSBMA02250 SSRT061275 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Execution of Arbitrary Code and Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-01
Last Updated: 2007-08-01
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01488878
Version: 1
HPSBMA02345 SSRT080039 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-06-30
Last Updated: 2008-06-30
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01743291
Version: 1
HPSBMA02426 SSRT090053 rev.1 - HP System Management Homepage (SMH) for Linux and Windows Running PHP and OpenSSL, Remote Cross Site Scripting (XSS), Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-05-14
Last Updated: 2009-05-14
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01745065
Version: 1
HPSBMA02428 SSRT090048 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-05-18
Last Updated: 2009-05-18
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01488878
Version: 2
HPSBMA02345 SSRT080039 rev.2 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-06-30
Last Updated: 2008-08-18
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01570589
Version: 1
HPSBMA02376 SSRT080099 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-10-08
Last Updated: 2008-10-08
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02512995
Version: 1
HPSBMA02568 SSRT100219 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), HTTP Response Splitting, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-15
Last Updated: 2010-09-15
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02512995
Version: 2
HPSBMA02568 SSRT100219 rev.2 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), HTTP Response Splitting, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-15
Last Updated: 2010-09-17
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02514953
Version: 1
HPSBMA02584 SSRT100230 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote URL Redirection
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-22
Last Updated: 2010-09-22
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02514929
Version: 1
HPSBMA02578 SSRT100069 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Information Disclosure
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-22
Last Updated: 2010-09-22
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02518794
Version: 1
HPSBMA02583 SSRT100070 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote URL Redirection
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-22
Last Updated: 2010-09-22
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02735910
Version: 1
HPSBMA02662 SSRT100409 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Unauthorized Access, Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-04-19
Last Updated: 2011-04-19
Official Information:
http://www.vbulletin.com/forum/showthread.php?t=319572
-:: The Advisory ::-
The "Home Page" field in the user profile was only checking the user input
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.
The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02475053
Version: 1
HPSBMA02566 SSRT100045 rev.1 - HP System Management Homepage (SMH) for Linux, Remote Disclosure of Sensitive Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-13
Last Updated: 2010-09-13
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01586921
Version: 2
HPSBMA02380 SSRT080121 rev.2 - HP System Management Homepage (SMH) for HP-UX, Local Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-11-03
Last Updated: 2008-11-10
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01164065
Version: 1
HPSBMA02258 SSRT071470 rev.1 - HP System Management Homepage (SMH) for Windows, Incomplete Update Installation
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-09-10
Last Updated: 2007-09-12
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01034748
Version: 4
HPSBMA01212 SSRT5998 rev.4 - HP System Management Homepage Running PHP, Remote Denial of Service (DoS), Cross Site Scripting (XSS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2005-09-21
Last Updated: 2010-08-30
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03280632
Version: 1
HPSBMU02764 SSRT100827 rev.1 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS), Execution of Arbitrary Code, Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-04-16
Last Updated: 2012-04-16
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03280632
Version: 2
HPSBMU02764 SSRT100827 rev.2 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS), Execution of Arbitrary Code, Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-04-16
Last Updated: 2012-04-19
A. Initially, an attacker gains guest access to the system, by first
accessing:
http://host:port/OA_HTML/OA.jsp
While an error is generated at this step, the attacker can proceed now to
the "My Homepage" page, which will now allow guest access:
http://host:port/pls/[DADName]/OracleMyPage.home
B. The attacker now goes to edit his personal homepage, by accessing the
"Edit Page List" URL:
http://host:port/pls/[DADName]/icx_define_pages.editpagelist
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01183265
Version: 3
HPSBMA02274 SSRT071445 rev.3 - HP System Management Homepage (SMH) for HP-UX, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-10-03
Last Updated: 2008-02-11
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01183265
Version: 1
HPSBMA02274 SSRT071445 rev.1 - HP System Management Homepage (SMH) for HP-UX, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-10-03
Last Updated: 2007-10-03
SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01183265
Version: 2
HPSBMA02274 SSRT071445 rev.2 - HP System Management Homepage (SMH) for HP-UX, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-10-03
Last Updated: 2007-10-17
III. DESCRIPTION
-------------------------
Cisco VPN SSL Clientless lets administrators define rules to specific
targets within the private network that WebVPN users will be able to
access. This specific targets are published using links in VPN SSL
home page. These links (URL) are protected (obfuscated) using a ROT13
substitution[2] and converting ASCII characters to hexadecimal. An
user with a valid account and without "URL entry" can access any
internal/external resource simply taken an URL, encrypt with ROT 13,
convert ASCII characters to hexadecimal and appending this string to
Cisco VPN SSL URL.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03164351
Version: 1
HPSBMU02742 SSRT100740 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Unauthorized Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-02-08
Last Updated: 2012-02-08
Next Page>>
|
|
|
