Bug 873899 – VUL-0: CVE-2014-2856: cups: cross-site scripting flaw fixed in the 1.7.2 release

Bug 873899 - (CVE-2014-2856) VUL-0: CVE-2014-2856: cups: cross-site scripting flaw fixed in the 1.7.2 release

(CVE-2014-2856)
Summary:	VUL-0: CVE-2014-2856: cups: cross-site scripting flaw fixed in the 1.7.2 release

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Johannes Meixner
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/97906/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-04-16 09:49 UTC by Alexander Bergmann
Modified:	2014-04-25 13:47 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-04-16 09:49:59 UTC

Via rh#1087122:

The CUPS 1.7.2 release fixes a possible cross-site scripting issue in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.

CVE-2014-2856 was assigned to this issue.

Upstream fix:
http://www.cups.org/strfiles.php/3268/str4356.patch
http://www.cups.org/blog.php?L717
http://www.cups.org/str.php?L4356




References:
https://bugzilla.redhat.com/show_bug.cgi?id=1087122

Comment 1 Swamp Workflow Management 2014-04-16 22:00:34 UTC

bugbot adjusting priority

Comment 3 Johannes Meixner 2014-04-25 13:40:34 UTC

I cannot reproduce it as reported in
http://www.cups.org/str.php?L4356

I cannot reproduce it with CUPS 1.5.4 on openSUSE 13.1
(long lines wrapped here):
------------------------------------------------------------------------------
# curl "http://localhost:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <TITLE>Not Found - CUPS v1.5.4</TITLE>
        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
</HEAD>
<BODY>
<H1>Not Found</H1>
<P></P>
</BODY>
</HTML>
------------------------------------------------------------------------------

I cannot reproduce it with CUPS 1.3.9 on SLES11-SP3
(long lines wrapped here):
------------------------------------------------------------------------------
curl "http://localhost:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.html"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
 "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <TITLE>404 Not Found</TITLE>
        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
</HEAD>
<BODY>
<H1>404 Not Found</H1>
<P></P>
</BODY>
</HTML>
------------------------------------------------------------------------------

Therefore I assume it is really only an issue since CUPS 1.6
as reported in http://www.cups.org/str.php?L4356

We do not have CUPS 1.6 in any of our products so that
we are not affected - provided my tests above are right.