HP System Management Homepage < 7.1.1 Multiple Vulnerabilities

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by multiple vulnerabilities.

Description :

According to the web server's banner, the version of HP System
Management Homepage (SMH) hosted on the remote host is earlier than
7.1.1 and is, therefore, reportedly affected by the following
vulnerabilities :

- The bundled version of the libxml2 library contains
multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821,
CVE-2011-2834)

- The bundled version of PHP contains multiple
vulnerabilities. (CVE-2011-3379, CVE-2011-4153,
CVE-2011-4885, CVE-2012-1823, CVE-2012-0057,
CVE-2012-0830)

- The bundled version of the Apache HTTP Server contains
multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317,
CVE-2011-4415, CVE-2012-0021, CVE-2012-0031,
CVE-2012-0053)

- An issue exists in the 'include/iniset.php' script in
the embedded RoundCube Webmail version that could lead
to a denial of service. (CVE-2011-4078)

- The bundled version of OpenSSL contains multiple
vulnerabilities. (CVE-2011-4108, CVE-2011-4576,
CVE-2011-4577, CVE-2011-4619, CVE-2012-0027,
CVE-2012-1165)

- The bundled version of curl and libcurl does not
properly consider special characters during extraction
of a pathname from a URL. (CVE-2012-0036)

- An off autocomplete attribute does not exist for
unspecified form fields, which makes it easier for
remote attackers to obtain access by leveraging an
unattended workstation. (CVE-2012-2012)

- An unspecified vulnerability exists that could allow a
remote attacker to cause a denial of service, or
possibly obtain sensitive information or modify data.
(CVE-2012-2013)

- An unspecified vulnerability exists related to improper
input validation. (CVE-2012-2014)

- An unspecified vulnerability allows remote,
unauthenticated users to gain privileges and obtain
sensitive information. (CVE-2012-2015)

- An unspecified vulnerability allows local users to
obtain sensitive information via unknown vectors.
(CVE-2012-2016)

See also :

http://www.nessus.org/u?541c7466
http://www.securityfocus.com/archive/1/523320/30/0/threaded

Solution :

Upgrade to HP System Management Homepage 7.1.1 or later.

Risk factor :

High / CVSS Base Score : 9.7
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P)
CVSS Temporal Score : 8.0
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true