Vulnerabilities > CVE-2009-2820 - Cross-Site Scripting vulnerability in Apple mac OS X and mac OS X Server
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Embedding Scripts in Non-Script Elements This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Cross-Site Scripting in Error Pages An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
- Cross-Site Scripting Using Alternate Syntax The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
Exploit-Db
description CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability. CVE-2009-2820. Remote exploit for linux platform id EDB-ID:33339 last seen 2016-02-03 modified 2009-11-09 published 2009-11-09 reporter Aaron Sigel source https://www.exploit-db.com/download/33339/ title CUPS 'kerberos' Parameter Cross-Site Scripting Vulnerability description CUPS 'kerberos' Parameter Cross-Site Scripting Vulnerability. CVE-2009-2820. Remote exploits for multiple platform id EDB-ID:10001 last seen 2016-02-01 modified 2009-11-11 published 2009-11-11 reporter Aaron Sigel source https://www.exploit-db.com/download/10001/ title CUPS 'kerberos' Parameter Cross-Site Scripting Vulnerability
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-006.NASL description The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied. This security update contains fixes for the following products : - AFP Client - Adaptive Firewall - Apache - Apache Portable Runtime - ATS - Certificate Assistant - CoreGraphics - CUPS - Dictionary - DirectoryService - Disk Images - Event Monitor - fetchmail - FTP Server - Help Viewer - International Components for Unicode - IOKit - IPSec - libsecurity - libxml - OpenLDAP - OpenSSH - PHP - QuickDraw Manager - QuickLook - FreeRADIUS - Screen Sharing - Spotlight - Subversion last seen 2020-06-01 modified 2020-06-02 plugin id 42433 published 2009-11-09 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42433 title Mac OS X Multiple Vulnerabilities (Security Update 2009-006) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(42433); script_version("1.27"); script_cve_id( "CVE-2007-5707", "CVE-2007-6698", "CVE-2008-0658", "CVE-2008-5161", "CVE-2009-0023", "CVE-2009-1191", "CVE-2009-1195", "CVE-2009-1574", "CVE-2009-1632", "CVE-2009-1890", "CVE-2009-1891", "CVE-2009-1955", "CVE-2009-1956", "CVE-2009-2408", "CVE-2009-2409", "CVE-2009-2411", "CVE-2009-2412", "CVE-2009-2414", "CVE-2009-2416", "CVE-2009-2666", "CVE-2009-2808", "CVE-2009-2818", "CVE-2009-2819", "CVE-2009-2820", "CVE-2009-2823", "CVE-2009-2824", "CVE-2009-2825", "CVE-2009-2826", "CVE-2009-2827", "CVE-2009-2828", "CVE-2009-2829", "CVE-2009-2831", "CVE-2009-2832", "CVE-2009-2833", "CVE-2009-2834", "CVE-2009-2837", "CVE-2009-2838", "CVE-2009-2839", "CVE-2009-2840", "CVE-2009-3111", "CVE-2009-3291", "CVE-2009-3292", "CVE-2009-3293" ); script_bugtraq_id( 26245, 27778, 34663, 35115, 35221, 35251, 35565, 35623, 35888, 35983, 36263, 36449, 36959, 36961, 36962, 36963, 36964, 36966, 36967, 36972, 36973, 36975, 36977, 36978, 36979, 36982, 36985, 36988, 36990 ); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-006)"); script_summary(english:"Check for the presence of Security Update 2009-006"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied. This security update contains fixes for the following products : - AFP Client - Adaptive Firewall - Apache - Apache Portable Runtime - ATS - Certificate Assistant - CoreGraphics - CUPS - Dictionary - DirectoryService - Disk Images - Event Monitor - fetchmail - FTP Server - Help Viewer - International Components for Unicode - IOKit - IPSec - libsecurity - libxml - OpenLDAP - OpenSSH - PHP - QuickDraw Manager - QuickLook - FreeRADIUS - Screen Sharing - Spotlight - Subversion" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT3937" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html" ); script_set_attribute( attribute:"see_also", value:"http://www.securityfocus.com/advisories/18255" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2009-006 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(16, 20, 79, 119, 189, 200, 255, 264, 310, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/09"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if (!uname) exit(1, "The 'Host/uname' KB item is missing."); pat = "^.+Darwin.* ([0-9]+\.[0-9.]+).*$"; if (!ereg(pattern:pat, string:uname)) exit(1, "Can't identify the Darwin kernel version from the uname output ("+uname+")."); darwin = ereg_replace(pattern:pat, replace:"\1", string:uname); if (ereg(pattern:"^(9\.[0-8]\.)", string:darwin)) { packages = get_kb_item("Host/MacOSX/packages/boms"); if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing."); if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[6-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages)) exit(0, "The host has Security Update 2009-006 or later installed and therefore is not affected."); else security_hole(0); } else exit(0, "The host is running Darwin kernel version "+darwin+" and therefore is not affected.");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1933.NASL description Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks. last seen 2020-06-01 modified 2020-06-02 plugin id 44798 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44798 title Debian DSA-1933-1 : cups - missing input sanitising code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1933. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44798); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-2820"); script_bugtraq_id(36958); script_xref(name:"DSA", value:"1933"); script_name(english:"Debian DSA-1933-1 : cups - missing input sanitising"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1933" ); script_set_attribute( attribute:"solution", value: "Upgrade the cups packages. For the oldstable distribution (etch), this problem has been fixed in version 1.2.7-4+etch9. For the stable distribution (lenny), this problem has been fixed in version 1.3.8-1+lenny7." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"cupsys", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"cupsys-bsd", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"cupsys-client", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"cupsys-common", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"cupsys-dbg", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"libcupsimage2", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"libcupsimage2-dev", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"libcupsys2", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"libcupsys2-dev", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"4.0", prefix:"libcupsys2-gnutls10", reference:"1.2.7-4+etch9")) flag++; if (deb_check(release:"5.0", prefix:"cups", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cups-bsd", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cups-client", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cups-common", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cups-dbg", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cupsys", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cupsys-bsd", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cupsys-client", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cupsys-common", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"cupsys-dbg", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"libcups2", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"libcups2-dev", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"libcupsimage2", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"libcupsimage2-dev", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"libcupsys2", reference:"1.3.8-1+lenny7")) flag++; if (deb_check(release:"5.0", prefix:"libcupsys2-dev", reference:"1.3.8-1+lenny7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_1_CUPS-091104.NASL description The cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820). last seen 2020-06-01 modified 2020-06-02 plugin id 42472 published 2009-11-12 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42472 title openSUSE Security Update : cups (cups-1506) NASL family SuSE Local Security Checks NASL id SUSE_11_2_CUPS-091204.NASL description The cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820). A use-after-free problem in cupsd allowed remote attackers to crash the cups server (CVE-2009-3553). last seen 2020-06-01 modified 2020-06-02 plugin id 43107 published 2009-12-11 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43107 title openSUSE Security Update : cups (cups-1650) NASL family MacOS X Local Security Checks NASL id MACOSX_10_6_2.NASL description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.2. Mac OS X 10.6.2 contains security fixes for the following products : - Adaptive Firewall - Apache - Apache Portable Runtime - Certificate Assistant - CoreMedia - CUPS - Dovecot - fetchmail - file - FTP Server - Help Viewer - ImageIO - IOKit - IPSec - Kernel - Launch Services - libsecurity - libxml - Login Window - OpenLDAP - QuickDraw Manager - QuickTime - Screen Sharing - Subversion last seen 2020-06-01 modified 2020-06-02 plugin id 42434 published 2009-11-09 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42434 title Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2009-10891.NASL description Updated to 1.4.2 including XSS security fix (CVE-2009-2820). Fixed improper reference counting in abstract file descriptors handling interface (CVE-2009-3553). Fixed admin.cgi crash when modifying a class. Fix cups-lpd to create unique temporary data files. Pass through serial parameters correctly in web interface. Set the PRINTER_IS_SHARED variable for admin.cgi Fix removing files with lprm. Fixed German translation. Fixed PostScript errors with number-up handling. Fixed lspp-patch to avoid memory leak. Upstream fix for GNU TLS error handling bug. Reset SIGPIPE handler for child processes. Fixed typo in admin web template. Fixed incorrect handling of out-of-memory when loading jobs. Fixed wrong driver reported in web interface. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42935 published 2009-12-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42935 title Fedora 11 : cups-1.4.2-7.fc11 (2009-10891) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-856-1.NASL description Aaron Sigel discovered that the CUPS web interface incorrectly protected against cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. If an authenticated user were tricked into visiting a malicious website while logged into CUPS, a remote attacker could modify the CUPS configuration and possibly steal confidential data. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42466 published 2009-11-11 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42466 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : cups, cupsys vulnerability (USN-856-1) NASL family Fedora Local Security Checks NASL id FEDORA_2009-11062.NASL description This fixes CVE-2009-2820, an XSS vulnerability in the web interface. This also updates cups to the latest stable release on the 1.3 branch, and fixes a problem with number-up handling. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42965 published 2009-12-02 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42965 title Fedora 10 : cups-1.3.11-2.fc10 (2009-11062) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1595.NASL description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 67076 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67076 title CentOS 5 : cups (CESA-2009:1595) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1595.NASL description From Red Hat Security Advisory 2009:1595 : Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 67961 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67961 title Oracle Linux 5 : cups (ELSA-2009-1595) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-073.NASL description Multiple vulnerabilities has been found and corrected in cups : CUPS in does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product last seen 2020-06-01 modified 2020-06-02 plugin id 45530 published 2010-04-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45530 title Mandriva Linux Security Advisory : cups (MDVSA-2010:073-1) NASL family SuSE Local Security Checks NASL id SUSE_11_0_CUPS-091104.NASL description The cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820). last seen 2020-06-01 modified 2020-06-02 plugin id 42471 published 2009-11-12 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42471 title openSUSE Security Update : cups (cups-1506) NASL family SuSE Local Security Checks NASL id SUSE_11_CUPS-091104.NASL description The cups web interface was prone to Cross-Site Scripting (XSS) problems. (CVE-2009-2820) last seen 2020-06-01 modified 2020-06-02 plugin id 42473 published 2009-11-12 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42473 title SuSE 11 Security Update : CUPS (SAT Patch Number 1504) NASL family Misc. NASL id CUPS_1_4_2.NASL description According to its banner, the version of CUPS installed on the remote host is earlier than 1.4.2. The last seen 2020-06-01 modified 2020-06-02 plugin id 42468 published 2009-11-11 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42468 title CUPS < 1.4.2 kerberos Parameter XSS NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1595.NASL description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 42850 published 2009-11-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42850 title RHEL 5 : cups (RHSA-2009:1595) NASL family Fedora Local Security Checks NASL id FEDORA_2009-11314.NASL description New release, including fix for XSS vulnerability in web interface (CVE-2009-2820) and for improper reference counting in abstract file descriptors handling interface (CVE-2009-3553). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42936 published 2009-12-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42936 title Fedora 12 : cups-1.4.2-7.fc12 (2009-11314)
Oval
| accepted | 2013-04-29T04:18:21.008-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | and leverages attribute injection and HTTP Parameter Pollution (HPP) issues. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9153 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
bulletinFamily exploit description BUGTRAQ ID: 36956 CVE ID: CVE-2009-2808,CVE-2009-2810,CVE-2009-2818,CVE-2009-2819,CVE-2009-2820,CVE-2009-2823,CVE-2009-2824,CVE-2009-2825,CVE-2009-2826,CVE-2009-2827,CVE-2009-2828,CVE-2009-2829,CVE-2009-2830,CVE-2009-2831,CVE-2009-2832,CVE-2009-2833,CVE-2009-2834,CVE-2009-2835,CVE-2009-2837,CVE-2009-2838,CVE-2009-2839,CVE-2009-2840 Mac OS X是苹果家族机器所使用的操作系统。 Apple 2009-006安全更新修复了Mac OS X中的多个安全漏洞,本地或远程攻击者可能利用这些漏洞导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2009-2808 Help Viewer没有使用HTTPS查看Apple Help内容,本地网络中的用户可以发送包含有恶意help:runscript链接的伪造HTTP响应。 CVE-2009-2810 在调用Launch服务打开被隔离的文件夹时会递归的清除文件夹中文件的隔离信息,而被清除的隔离信息用户在打开项之前触发用户警告。这可能允许在没有警告对话框的情况下启动不安全的项,如应用程序。 CVE-2009-2818 自适应防火墙通过创建临时规则限制访问来响应可疑行为,如大量的访问尝试。在某些环境下,自适应防火墙可能无法检测使用无效用户名的SSH登录尝试。 CVE-2009-2819 AFP客户端中存在多个内存破坏漏洞,连接到恶意的AFP服务器可能导致系统意外终止或以系统权限执行任意代码。 CVE-2009-2820 CUPS中的漏洞可能导致跨站脚本和HTTP响应拆分,访问恶意网页或URL可能允许攻击者通过CUPS web接口访问本地用户可用的内容,包括打印系统配置和已打印任务的标题。 CVE-2009-2823 Apache Web服务器允许TRACE HTTP方式,远程攻击者可以利用这个工具通过某些Web客户端软件执行跨站脚本攻击。 CVE-2009-2824 Apple类型服务处理嵌入式字体的方式存在多个缓冲区溢出,查看或下载包含有恶意嵌入式字体的文档可能导致执行任意代码。 CVE-2009-2825 在处理CN字段中包含有空字符的SSL证书时存在错误,用户可能被误导接受外观类似于匹配用户所访问域的特制证书。 CVE-2009-2826 CoreGraphics处理PDF文件存在多个可导致堆溢出的整数溢出,打开恶意PDF文件可能导致应用程序意外终止或执行任意代码。 CVE-2009-2827 处理包含有FAT文件系统的磁盘镜像时存在堆溢出,下载恶意的磁盘镜像可能导致应用程序意外终止或执行任意代码。 CVE-2009-2828 DirectoryService中的内存破坏漏洞可能导致应用程序意外终止或执行任意代码。 CVE-2009-2829 Event Monitor中存在日志注入漏洞,通过特制认证信息连接到SSH服务器就可以导致日志注入。当其他服务处理日志数据时这可能导致拒绝服务。 CVE-2009-2830 文件命令行工具中存在多个缓冲区溢出漏洞,对恶意的CDF文件运行文件命令可能导致应用程序意外终止或执行任意代码。 CVE-2009-2831 Dictionary中的设计错误允许恶意的Javascript向用户文件系统的任意位置写入任意数据,这可能允许本地网络中的其他用户在用户系统上执行任意代码。 CVE-2009-2832 FTP服务器的CWD命令行工具中存在缓冲区溢出,对深层嵌套的目录结构发布CWD命令可能导致应用程序意外终止或执行任意代码。 CVE-2009-2833 UCCompareTextDefault API中的缓冲区溢出可能导致应用程序意外终止或执行任意代码。 CVE-2009-2834 非特权用户可以更改附带的USB或蓝牙Apple键盘的固件。 CVE-2009-2835 内核处理任务状态段存在多个输入验证问题,可能允许本地用户导致信息泄露、系统意外关机或执行任意代码。 CVE-2009-2837 QuickDraw处理PICT图形存在堆溢出,打开恶意的PICT图形可能导致应用程序意外终止或执行任意代码。 CVE-2009-2838 QuickLook处理Microsoft Office文件存在整数溢出,下载恶意的Microsoft Office文件可能导致应用程序意外终止或执行任意代码。 CVE-2009-2839 Screen Sharing客户端存在多个内存破坏漏洞,通过打开vnc:// URL访问恶意的VNC服务器可能导致应用程序意外终止或执行任意代码。 CVE-2009-2840 Spotlight处理临时文件的方式存在不安全的文件操作,可能允许本地用户以其他用户的权限覆盖文件。 Apple Mac OS X < 10.6.2 Apple MacOS X Server < 10.6.2 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/support/downloads/ id SSV:12599 last seen 2017-11-19 modified 2009-11-10 published 2009-11-10 reporter Root title Apple Mac OS X 2009-006更新修复多个安全漏洞 bulletinFamily exploit description No description provided by source. id SSV:12618 last seen 2017-11-19 modified 2009-11-11 published 2009-11-11 reporter Root source https://www.seebug.org/vuldb/ssvid-12618 title New cups packages fix cross-site scripting bulletinFamily exploit description No description provided by source. id SSV:12619 last seen 2017-11-19 modified 2009-11-11 published 2009-11-11 reporter Root source https://www.seebug.org/vuldb/ssvid-12619 title CUPS vulnerability bulletinFamily exploit description BUGTRAQ ID: 36958 CVE ID: CVE-2009-2820 Common Unix Printing System(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务。 CUPS没有正确地处理HTTP头和HTML模板,远程攻击者可以通过产品的web界面、打印系统的配置和打印任务的标题提交恶意kerberos参数,执行跨站脚本或HTTP响应拆分攻击。 Easy Software Products CUPS 1.4.x Easy Software Products CUPS 1.3.x 厂商补丁: Easy Software Products ---------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.cups.org/strfiles/3367/security-1.4v2.patch http://www.cups.org/strfiles/3367/security-1.3v2.patch Sun --- Sun已经为此发布了一个安全公告(Sun-Alert-6893187)以及相应补丁: Sun-Alert-6893187:Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS) Web Interface in OpenSolaris May Lead to Cross-Site Scripting (XSS) and HTTP Response Splitting Attacks 链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-271169-1 id SSV:12663 last seen 2017-11-19 modified 2009-11-18 published 2009-11-18 reporter Root source https://www.seebug.org/vuldb/ssvid-12663 title CUPS kerberos参数跨站脚本漏洞
References
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
- http://secunia.com/advisories/37308
- http://secunia.com/advisories/37360
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021115.1-1
- http://support.apple.com/kb/HT3937
- http://www.cups.org/articles.php?L590
- http://www.cups.org/documentation.php/relnotes.html
- http://www.cups.org/str.php?L3367
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:072
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:073
- http://www.redhat.com/support/errata/RHSA-2009-1595.html
- http://www.securityfocus.com/bid/36956
- http://www.vupen.com/english/advisories/2009/3184
- https://bugzilla.redhat.com/show_bug.cgi?id=529833
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9153