New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in CUPS 1.6.4 web interface #4356

Closed
michaelrsweet opened this Issue Jan 30, 2014 · 9 comments

Comments

Projects
None yet
1 participant
@michaelrsweet
Copy link
Collaborator

michaelrsweet commented Jan 30, 2014

Version: 1.6-current
CUPS.org User: alexk

There seems to be XSS possible when CUPS web-interface is accessed like: http://cups-server-name:631/<SCRIPT>whatever</SCRIPT>.shtml

I cannot reproduce it with CUPS 1.7.1, but CUPS 1.6.4 is vulnerable:

Easy test:

$ curl "http://192.168.0.1:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml"

<TITLE>Upgrade Required - CUPS v1.6.4</TITLE>

Upgrade Required

You must access this page using the URL https://192.168.0.1:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml.

If this was already reported and fixed in 1.7.1, could a patch be created for 1.6?

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Jan 31, 2014

CUPS.org User: mike

Alex,

I'm unable to reproduce. Can you provide me with your cupsd.conf file?

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Jan 31, 2014

CUPS.org User: alexk

Attached both cupsd.conf and cups-files.conf

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Feb 19, 2014

CUPS.org User: mike

OK, so this could still be an issue with current versions of CUPS.

The simplest fix is to block any such URL, probably in the is_path_absolute function.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Feb 19, 2014

CUPS.org User: mike

Fixed in Subversion repository.

Holding as "private/pending" until we release 1.7.2.

The attached patch updates is_absolute_path() to check for < and quotes, and yields a "forbidden" error if you try to access the URL in your example.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Feb 19, 2014

CUPS.org User: alexk

Thanks, looks like the patch works with 1.6.4 as well.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Apr 10, 2014

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Apr 10, 2014

"cupsd.conf":

ServerName printserver
ServerAlias *

Include /etc/cups/cups-files.conf

MaxLogSize 1000000000

Log general information in error_log - change "info" to "debug" for

troubleshooting...

LogLevel info

Only listen for connections from the local machine.

Port 631
SSLPort 443

MaxClients 20000
MaxClientsPerHost 1000

Max jobs per server, and per printer

MaxJobs 250
MaxJobsPerPrinter 25

Don't store job files

PreserveJobFiles Off

FilterNice 5

Browsing configuration varies per host; include it as a separate file

Browsing off

Default authentication type, when authentication is required...

DefaultAuthType Basic

Do not pause printers on communication errors

ErrorPolicy retry-job

Use papersize from PPD, don't enforce it

DefaultPaperSize none

Restrict access to the server...

Encryption Required

Restrict access to the admin pages...

<Location /admin>
Encryption Required
Require user @System @printer-admins

Restrict access to configuration files...

<Location /admin/conf>
Encryption Required
Require user @System @printer-admins

Set the default printer/job policies...

JobPrivateAccess @owner @System @printer-admins JobPrivateValues job-name

Job-related operations must be done by the owner or an adminstrator...

Require user @owner @System

Job-related operations must be done by the owner or an printer support...

Require user @owner @System @printer-admins

All administration operations require an adminstrator to authenticate...

Require user @System @printer-admins

Only allow system and role accounts to create new print queues.

Require user @System

Only the owner or an administrator can cancel or authenticate a job...

Require user @owner @System @printer-admins Order deny,allow
@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Apr 10, 2014

"cups-files.conf":

ConfigFilePerm 0644
LogFilePerm 0644

AccessLog syslog
PageLog syslog

Administrator user group...

SystemGroup root cups-admins

ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Apr 10, 2014

"str4356.patch":

Index: scheduler/client.c

--- scheduler/client.c (revision 11597)
+++ scheduler/client.c (working copy)
@@ -3316,6 +3316,14 @@
return (0);

/*

  • * Check for "<" or quotes in the path and reject since this is probably
  • * someone trying to inject HTML...
  • */
  • if (strchr(path, '<') != NULL || strchr(path, '"') != NULL || strchr(path, ''') != NULL)
  • return (0);
  • /*
    • Check for "/.." in the path...
      */

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment