HP SiteScope SOAP Call GetSiteScopeConfiguration Remote Code Execution Vulnerability Network Vulnerability

Summary

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability. The specific flaw exists because HP SiteScope allows unauthenticated SOAP calls to be made to the SiteScope service. One of those calls is getSiteScopeConfiguration() which will return the current configuration of the server including the administrator login and password information. A remote attacker could abuse this vulnerability to login to SiteScope with administrative privileges then execute arbitrary code through the underlying functionality.

References

http://www.hp.com/
http://www.zerodayinitiative.com/advisories/ZDI-12-173/

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities
ASP Inline Corporate Calendar SQL injection
aflog Cookie-Based Authentication Bypass Vulnerability
A-Blog 'sources/search.php' SQL Injection Vulnerability
AWCM CMS Multiple Remote File Include Vulnerabilities

HP SiteScope SOAP Call getSiteScopeConfiguration Remote Code Execution Vulnerability

Take action and discover your vulnerabilities