XSS in CUPS 1.6.4 web interface #4356

Closed
michaelrsweet opened this Issue Jan 30, 2014 · 9 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Jan 30, 2014

Version: 1.6-current
CUPS.org User: alexk

There seems to be XSS possible when CUPS web-interface is accessed like: http://cups-server-name:631/.shtml

I cannot reproduce it with CUPS 1.7.1, but CUPS 1.6.4 is vulnerable:

Easy test:

$ curl "http://192.168.0.1:631/.shtml"

Upgrade Required - CUPS v1.6.4

Upgrade Required

You must access this page using the URL https://192.168.0.1:631/.shtml.

If this was already reported and fixed in 1.7.1, could a patch be created for 1.6?

Collaborator

michaelrsweet commented Jan 31, 2014

CUPS.org User: mike

Alex,

I'm unable to reproduce. Can you provide me with your cupsd.conf file?

Collaborator

michaelrsweet commented Jan 31, 2014

CUPS.org User: alexk

Attached both cupsd.conf and cups-files.conf

Collaborator

michaelrsweet commented Feb 19, 2014

CUPS.org User: mike

OK, so this could still be an issue with current versions of CUPS.

The simplest fix is to block any such URL, probably in the is_path_absolute function.

Collaborator

michaelrsweet commented Feb 19, 2014

CUPS.org User: mike

Fixed in Subversion repository.

Holding as "private/pending" until we release 1.7.2.

The attached patch updates is_absolute_path() to check for < and quotes, and yields a "forbidden" error if you try to access the URL in your example.

Collaborator

michaelrsweet commented Feb 19, 2014

CUPS.org User: alexk

Thanks, looks like the patch works with 1.6.4 as well.

Collaborator

michaelrsweet commented Apr 10, 2014

CUPS.org User: mike

Fixed in Subversion repository.

Collaborator

michaelrsweet commented Apr 10, 2014

"cupsd.conf":

ServerName printserver
ServerAlias *

Include /etc/cups/cups-files.conf

MaxLogSize 1000000000

Log general information in error_log - change "info" to "debug" for

troubleshooting...

LogLevel info

Only listen for connections from the local machine.

Port 631
SSLPort 443

MaxClients 20000
MaxClientsPerHost 1000

Max jobs per server, and per printer

MaxJobs 250
MaxJobsPerPrinter 25

Don't store job files

PreserveJobFiles Off

FilterNice 5

Browsing configuration varies per host; include it as a separate file

Browsing off

Default authentication type, when authentication is required...

DefaultAuthType Basic

Do not pause printers on communication errors

ErrorPolicy retry-job

Use papersize from PPD, don't enforce it

DefaultPaperSize none

Restrict access to the server...

Encryption Required

Restrict access to the admin pages...

<Location /admin>
Encryption Required
Require user @System @printer-admins

Restrict access to configuration files...

<Location /admin/conf>
Encryption Required
Require user @System @printer-admins

Set the default printer/job policies...

JobPrivateAccess @owner @System @printer-admins JobPrivateValues job-name

Job-related operations must be done by the owner or an adminstrator...

Require user @owner @System

Job-related operations must be done by the owner or an printer support...

Require user @owner @System @printer-admins

All administration operations require an adminstrator to authenticate...

Require user @System @printer-admins

Only allow system and role accounts to create new print queues.

Require user @System

Only the owner or an administrator can cancel or authenticate a job...

Require user @owner @System @printer-admins Order deny,allow
Collaborator

michaelrsweet commented Apr 10, 2014

"cups-files.conf":

ConfigFilePerm 0644
LogFilePerm 0644

AccessLog syslog
PageLog syslog

Administrator user group...

SystemGroup root cups-admins

ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key

Collaborator

michaelrsweet commented Apr 10, 2014

"str4356.patch":

Index: scheduler/client.c

--- scheduler/client.c (revision 11597)
+++ scheduler/client.c (working copy)
@@ -3316,6 +3316,14 @@
return (0);

/*

  • * Check for "<" or quotes in the path and reject since this is probably
  • * someone trying to inject HTML...
  • */
  • if (strchr(path, '<') != NULL || strchr(path, '"') != NULL || strchr(path, ''') != NULL)
  • return (0);
  • /*
    • Check for "/.." in the path...
      */

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment