Cross-site scripting vulnerability in CUPS web interface

June 20, 2014

Common Unix Printing System (CUPS) is a printing system which allows a computer to act as printer server .CUPS is for Unix-like computer operating systems. The system running CUPS can act like a host which accepts print jobs from client computers, process them, and send them to the appropriate printer.

CUPS provides a system to print jobs to the printers. The print data goes to scheduler which sends it further to be printed. The CUPS scheduler implements Internet Printing Protocol (IPP) over HTTP/1.1.The CUPS scheduler also provides a web-based interface for managing print jobs, the configuration of the server, and for documentation about CUPS itself.

Cross-site scripting (XSS) vulnerability exists in the web interface of the scheduler.This allows remote attackers to inject arbitrary web script or HTML via the URL path. The vulnerable function is is_path_absolute. CUPS versions before 1.7.2 are vulnerable.This vulnerability is fixed and patch is available.

Exploit example: public exploit

http://XXX.XXX.XXX.XXX:631/GET /%3CSCRIPT%3Ealert('document.domain='+document.domain)%3C/SCRIPT%3E.shtml HTTP/1.1

When processing the GET /POST request the input is not sanitized and the script code is reflected back to the user. Successful exploitation will result in code being executed in context of current user.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signature for it.

  • IPS:3903 CUPS Web Interface URL Handling XSS

This vulnerability is referred by CVE as CVE-2014-2856