Bug 873899 - (CVE-2014-2856) VUL-0: CVE-2014-2856: cups: cross-site scripting flaw fixed in the 1.7.2 release
(CVE-2014-2856)
VUL-0: CVE-2014-2856: cups: cross-site scripting flaw fixed in the 1.7.2 release
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Johannes Meixner
Security Team bot
https://smash.suse.de/issue/97906/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-16 09:49 UTC by Alexander Bergmann
Modified: 2014-04-25 13:47 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-16 09:49:59 UTC
Via rh#1087122:

The CUPS 1.7.2 release fixes a possible cross-site scripting issue in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.

CVE-2014-2856 was assigned to this issue.

Upstream fix:
http://www.cups.org/strfiles.php/3268/str4356.patch
http://www.cups.org/blog.php?L717
http://www.cups.org/str.php?L4356




References:
https://bugzilla.redhat.com/show_bug.cgi?id=1087122
Comment 1 Swamp Workflow Management 2014-04-16 22:00:34 UTC
bugbot adjusting priority
Comment 3 Johannes Meixner 2014-04-25 13:40:34 UTC
I cannot reproduce it as reported in
http://www.cups.org/str.php?L4356

I cannot reproduce it with CUPS 1.5.4 on openSUSE 13.1
(long lines wrapped here):
------------------------------------------------------------------------------
# curl "http://localhost:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <TITLE>Not Found - CUPS v1.5.4</TITLE>
        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
</HEAD>
<BODY>
<H1>Not Found</H1>
<P></P>
</BODY>
</HTML>
------------------------------------------------------------------------------

I cannot reproduce it with CUPS 1.3.9 on SLES11-SP3
(long lines wrapped here):
------------------------------------------------------------------------------
curl "http://localhost:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.html"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
 "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <TITLE>404 Not Found</TITLE>
        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
</HEAD>
<BODY>
<H1>404 Not Found</H1>
<P></P>
</BODY>
</HTML>
------------------------------------------------------------------------------

Therefore I assume it is really only an issue since CUPS 1.6
as reported in http://www.cups.org/str.php?L4356

We do not have CUPS 1.6 in any of our products so that
we are not affected - provided my tests above are right.