Multiple vulnerabilities found in HP Insight Diagnostics
Multiple vulnerabilities have been found lurking in HP's server management application Insight Diagnostics. When combined with each other the gaps can allow an attacker to execute arbitrary PHP code with administrators rights on the servers. There is no patch for the vulnerabilities so far.
The vulnerabilities, identified as CVE-2013-3573, CVE-2013-3574 and CVE-2013-3575, exist in version 22.214.171.12410 of the software and, possibly earlier versions. A remote attacker will need to be authenticated for the comined vulnerabilities to be exploitable. The holes were found by Markus Wulftange from Daimler TSS who recorded and reported the flaws to the vendor.
Since there is no fix available, the US-CERT advises users to follow good security practice and restrict network access to the software and only allow connections from trusted hosts and networks.