Friday, April 15, 2011
There's more than one place to XSS this but I like the error page of the printer because it is accessible even with authentication enabled. You can trigger it with a POST to refresh.htm, which will result in unescaped output provided to it in the "refresh_rate" variable.
I appreciate that HP took the time to disclose the bugs, but it makes me wonder what my expectations should be for them to fix any other HP products. Perhaps XSS is just below their threshold, or maybe they think printers are not worth fixing. It's hard to tell what they would care enough to patch.
Posted by aaron at 9:41 AM