lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090411152613.13010.qmail@securityfocus.com>
Date: 11 Apr 2009 15:26:13 -0000
From: mcyr2@....com
To: bugtraq@...urityfocus.com
Subject: HP Deskjet 6800 XSS in Web Interface

A Cross-site scripting input validation error has been identified in the web interface of the HP Deskjet 6800 printer family.  By sending a string such as <script>alert("found XSS on this page")</script> via a POST request to /refresh_rate.htm the resulting error page will execute the script.  

Verified on Deskjet 6840 firmware version: XF1M131A, but the firmware seems to be generic to the 6800 family, so possibly the entire family is vulnerable.

Vulnerability Timeline: 
3/21/09: Vendor notification via email
3/21/09: Vendor upgrades ticket to "next level of support"
3/31/09: Vendor's "Advanced Support Group" replies: the issue that you are experiencing is due to faulty firmware of the 
printer and as a result the printer needs to be serviced from a HP 
authorized service center.
3/31/09: I Reply asking what firmware version fixes the issue and ask if this vulnerability has been reported previously
3/31/09: Vendor replys: I regret to inform you that there is no specific firmware is available for your printer. As the issue is related to the hardware of the printer, it is beyond the scope of our email support and needs the personal attention of a technician. I would suggest you to get the printer serviced at the nearest HP Authorised service centre. For your convenience I provided below information to locate the nearest HP Authorised service centre.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ