There seems to be XSS possible when CUPS web-interface is accessed like: http://cups-server-name:631/<SCRIPT>whatever</SCRIPT>.shtml
I cannot reproduce it with CUPS 1.7.1, but CUPS 1.6.4 is vulnerable:
$ curl "http://192.168.0.1:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml"<TITLE>Upgrade Required - CUPS v1.6.4</TITLE>
You must access this page using the URL https://192.168.0.1:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml.
If this was already reported and fixed in 1.7.1, could a patch be created for 1.6?
The text was updated successfully, but these errors were encountered:
CUPS.org User: mike
Fixed in Subversion repository.
Holding as "private/pending" until we release 1.7.2.
The attached patch updates is_absolute_path() to check for < and quotes, and yields a "forbidden" error if you try to access the URL in your example.
Log general information in error_log - change "info" to "debug" for
Only listen for connections from the local machine.
Max jobs per server, and per printer
Don't store job files
Browsing configuration varies per host; include it as a separate file
Default authentication type, when authentication is required...
Do not pause printers on communication errors
Use papersize from PPD, don't enforce it
Restrict access to the server...Encryption Required
Restrict access to the admin pages...
Restrict access to configuration files...
Set the default printer/job policies...JobPrivateAccess @owner @System @printer-admins JobPrivateValues job-name
Job-related operations must be done by the owner or an adminstrator...Require user @owner @System
Job-related operations must be done by the owner or an printer support...Require user @owner @System @printer-admins
All administration operations require an adminstrator to authenticate...Require user @System @printer-admins
Only allow system and role accounts to create new print queues.Require user @System
Only the owner or an administrator can cancel or authenticate a job...Require user @owner @System @printer-admins Order deny,allow
--- scheduler/client.c (revision 11597)