The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of HP SiteScope: command execution via loadFileContents

Synthesis of the vulnerability

An attacker can call the loadFileContents function of HP SiteScope, in order to execute a command on the server.
Severity of this computer vulnerability: 3/4.
Creation date: 05/03/2014.
Références of this announce: BID-65972, c03969435, CVE-2013-6207, HPSBMU02933, SSRT101126, VIGILANCE-VUL-14362, ZDI-14-043.

Description of the vulnerability

The HP SiteScope product has a SOAP interface, which is used for remote queries.

However, the SOAP API exposes the loadFileContents function, which is used to execute a command.

An attacker can therefore call the loadFileContents function of HP SiteScope, in order to execute a command on the server.
Full Vigil@nce bulletin... (Request your free trial)

This security alert impacts software or systems such as SiteScope.

Our Vigil@nce team determined that the severity of this security weakness is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this security announce.

Solutions for this threat

HP SiteScope: patch.
A patch is available.
The master.config file then has to be edited, in order to add:
  _disableOldAPIs=true
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer vulnerability database. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.