JetAdmin vulnerabilities
CVE 2000-0443
CAN 2000-0444
Impact
Vulnerabilities in JetAdmin could allow an attacker to read
arbitrary files on the server or cause a denial of service.
Background
HP Web JetAdmin provides the ability to install, configure, manage,
and troubleshoot TCP/IP and IPX connected devices on an enterprise's
intranet. It contains support for all HP JetDirect-connected
printers and plotters. This product allows users to manage HP
JetDirect-connected printers using just a browser.
The Problem
There are two unrelated vulnerabilities in HP Web JetAdmin.
CVE 2000-0443
The first vulnerability could allow an attacker to read arbitrary
files on the server using a specially crafted URL containing
the dot-dot-slash (../) string. This vulnerability affects
JetAdmin version 5.6.
CAN 2000-0444
The second is a denial-of-service vulnerability.
By sending a specially crafted URL to the server,
a remote attacker could cause the JetAdmin service to stop.
Version 6.0 prior to 6.0.1233 on Windows NT 4.0 or 2000
is affected by this vulnerability.
Resolution
Upgrade to Web JetAdmin version 6.0.1233 or higher.
Where can I read more about this?
You can read about the
dot-dot-slash vulnerability, the
denial-of-service vulnerability, and the
fix in Bugtraq.