TITLE: HP Color LaserJet 2500/4600 Toolbox Disclosure of Sensitive Information SECUNIA ADVISORY ID: SA19529 VERIFY ADVISORY: http://secunia.com/advisories/19529/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network SOFTWARE: HP Color LaserJet 2500 Toolbox 3.x http://secunia.com/product/9172/ HP Color LaserJet 4600 Toolbox 3.x http://secunia.com/product/9173/ DESCRIPTION: Richard Horsman has reported a vulnerability in the HP Color LaserJet 2500 Toolbox and HP Color LaserJet 4600 Toolbox software, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to an input validation error in the built-in HTTP server. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks. Example: http://[host]:5225/../../../[file] SOLUTION: Update to version 3.1. HP Color LaserJet 2500 Toolbox: http://www.hp.com/go/clj2500_software HP Color LaserJet 4600 Toolbox: http://www.hp.com/go/clj4600_software PROVIDED AND/OR DISCOVERED BY: Richard Horsman ORIGINAL ADVISORY: HPSBPI2109 SSRT061141: http://itrc.hp.com/service/cki/docDisplay.do?docId=c00634759 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------