Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Printer)  >   HP Printer Vendors:   HPE
HP Color LaserJet Web Interface Permits Remote Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007293
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 24 2003
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): Color LaserJet 4550
Description:   A vulnerability was reported in the HP Color LaserJet 4550. A remote user can conduct cross-site scripting attacks. The device also is set without a password by default. reported that the system is configured by default to have no password. Because of this, a remote user can access the web-based management interface.

It is also reported that the web interface does not filter HTML from user-supplied input. A remote user can create HTML that, when loaded by the target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the printer and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the printer, access data recently submitted by the target user via web form to the printer, or take actions on the printer acting as the target user.

Impact:   A remote user can gain access to the web-based administration interface (in the default configuration where no password has been set).

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the printer, access data recently submitted by the target user via web form to the printer, or take actions on the printer acting as the target user. A remote user can also temporarily render the target user's web interface unusable.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Configuration error, Input validation error

Message History:   None.

 Source Message Contents

Subject:  [0day] HP LaserJet 4550 - Remote XSS DoS

-= 0day - Freedom of Voice - Freedom of Choice =-

          - EXPL-A-2003-018 Advisory 018
                  -= HP Color LaserJet 4550 =-

Donnie Werner
July 22, 2003

Hewlet Packard Color LaserJet 4550 ( possibly others )

1. Remote Persistant Xss DoS
2. no default password

Description of product:
"Designed for business professionals who want
 to communicate more effectively using high-quality,
  professional - looking color documents"


1. Remote Persistant Xss DoS

The remote administration interface of the
HP Color LaserJet 4550 uses extensive javascript in
building dynamic content for administration of the
printers setup and manegment.

uhh oh..

Detail: by introducing XSS we render the remote interface useless...

Example 1.

Add Link:
 The HP allows an inclusion of a user definable link...


as you can see the left hand menu has completly been rendered useless...
( sorry )


when re-renderd we get weird out put depending on the JS used..
some examples..


" id="lnkOtherLink0" target="_blank">


looking at the source...

--------- snip -------------
document.writeln('<div id="navcap"><img border="0"
src="images/button_bottom.gif" width="140" height="21"><BR>');
string = 'Other Links';
document.writeln('<p><b>' + string + '</b><br>');
tmpString = '<a target="_blank"
id="lnkHardLink0"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">My Printer</font></a><br><a target="_blank"
id="lnkHardLink1"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Order Supplies</font></a><br><a target="_blank"
x" id="lnkHardLink2"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Solve A Problem</font></a><br>';
tmpString = '<a href="http://<script>alert("You are vunerable to xss -
discover" id="lnkOtherLink0" target="_blank"><font
face="Helvetica,Arial,Gill Sans,Sans Serif"
document.writeln(tmpString + '</p>');
mapheight = navcaptop - topofbuttons;
document.writeln('<div id="navmap"><img border="0" src="images/spacer.gif"
width="140" height="'+mapheight+'" usemap="#buttonsmap"></div>');
document.writeln('<MAP NAME="buttonsmap">');
for (var i=0; i < buttonarray.length; i++) {
document.writeln('<AREA SHAPE="rect"
------- snip -------------


Example 2.

 Network Statistics
 > Protocol Info
 Test Page

system contact and system location both vuln to..

<script language="JavaScript"

which allows remote inclusion that is persistant

this  writes to the rom and is viewable even over snmp

I am assuming the only way to fix these issues
 are to upgrade the rom or reset via a CLI interface

2. no default password
if this was set this couldnt happen I guess.. ( oops again )



Vendor Fix:
No fix on 0day ( aww.. shucks )

Vendor Contact:
Concurrent with this advisory

Donnie Werner


locate the "e-cupon" box
enter <script>document.write(document.cookie)</script>
press "Submit"
laugh "real hard"

0day mailing list


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC