‘XSS Bug in Compaq Insight Manager HTTP Server’

Summary

‘The Compaq Insight Manager Http server is vulnerable to the Cross Site Scripting (XSS) vulnerability. This vulnerability is caused by the results returned to a user when a non-existing file is requested. The vulnerability would allow an attacker to make the server present another user with malicious JavaScript/HTML code that is interpreted and executed without the user’s knowledge (e.g. the result contains the JavaScript provided in the request). This vulnerability was identified with a popular open-source vulnerability assessment tool and confirmed using the following XSS test.’

Credit:

‘The information has been provided by Taylor Huff and Toni Lassila.’


Details

Vulnerable systems:
 * CompaqHTTPServer version 3.6.0
 * CompaqHTTPServer version 4.2
 * CompaqHTTPServer version 4.3.7

Immune systems:
 * CompaqHTTPServer version 5.0.0

Example:
http://<Server IP>:2301/<script>alert(‘Test’)</script

Vendor response:
There is a 3rd party software tool that can be used for security assessments that flags any web server as potentially having this problem. Our web servers do not, to our knowledge, have this vulnerability. We have investigated it but it is a non-issue for us. This issue is just a ‘potential vulnerability’ rather than a ‘for sure’ problem. In other words, the tool is guessing that all web servers can have this problem.

Thank You,
HP E-Services

Categories: Windows