HP LaserJet P3015 contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the embedded web server not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../). This directory traversal attack would allow the attacker to read arbitrary files.

Upgrade to version 07.080.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1026488
• CVE ID: 2011-4785 (see also: NVD)
• Secunia Advisory ID: 47457
• Bugtraq ID: 51329
• ISS X-Force ID: 72227
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0116.html
  http://seclists.org/bugtraq/2012/Jan/50
  http://seclists.org/bugtraq/2012/Jan/53
• Vendor Specific Advisory URL: http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03140700
• Vendor URL: http://www.hp.com/

• sxkeebler - Digital Defense, Inc. Vulnerability Research Team
• r@b13$ - Digital Defense, Inc. Vulnerability Research Team