Cross-site scripting vulnerability in CUPS web interface (June 20, 2014)


Common Unix Printing System (CUPS) is a printing system which allows a computer to act as printer server .CUPS is for Unix-like computer operating systems. The system running CUPS can act like a host which accepts print jobs from client computers, process them, and send them to the appropriate printer.

CUPS provides a system to print jobs to the printers. The print data goes to scheduler which sends it further to be printed. The CUPS scheduler implements Internet Printing Protocol (IPP) over HTTP/1.1.The CUPS scheduler also provides a web-based interface for managing print jobs, the configuration of the server, and for documentation about CUPS itself.

Cross-site scripting (XSS) vulnerability exists in the web interface of the scheduler.This allows remote attackers to inject arbitrary web script or HTML via the URL path. The vulnerable function is is_path_absolute. CUPS versions before 1.7.2 are vulnerable.This vulnerability is fixed and patch is available.

Exploit example: public exploit

http://XXX.XXX.XXX.XXX:631/GET /%3CSCRIPT%3Ealert(‘document.domain=’+document.domain)%3C/SCRIPT%3E.shtml HTTP/1.1

When processing the GET /POST request the input is not sanitized and the script code is reflected back to the user. Successful exploitation will result in code being executed in context of current user.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signature for it.

  • IPS:3903 CUPS Web Interface URL Handling XSS

This vulnerability is referred by CVE as CVE-2014-2856

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.