HP Power Manager formExportDataLogs buffer overflow

Added: 01/22/2010
CVE: CVE-2009-3999
BID: 37867
OSVDB: 61848

Background

HP Power Manager is a web-based application that enables administrators to manage an HP UPS from a browser-based management console.

Problem

A buffer overflow vulnerability HP Power Manager allows remote attackers to execute arbitrary commands by sending an HTTP POST request for the formExportDataLogs program with a specially crafted fileName parameter.

Resolution

Upgrade to HP Power Manager 4.2.10 or higher.

References

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01971741
http://secunia.com/secunia_research/2009-47/

Limitations

Exploit works on HP Power Manager 4.2.9 on Microsoft Windows Server 2003 SP2 with patch KB933729.

Platforms

Windows

Back to exploit index