Vulnerabilities > CVE-2009-2820 - Cross-Site Scripting vulnerability in Apple mac OS X and mac OS X Server

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
apple
CWE-79
nessus
exploit available

Summary

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.

Vulnerable Configurations

Part Description Count
OS
Apple
126

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Embedding Scripts in Non-Script Elements
    This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Cross-Site Scripting in Error Pages
    An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
  • Cross-Site Scripting Using Alternate Syntax
    The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.

Exploit-Db

  • descriptionCUPS 'kerberos' Parameter Cross Site Scripting Vulnerability. CVE-2009-2820. Remote exploit for linux platform
    idEDB-ID:33339
    last seen2016-02-03
    modified2009-11-09
    published2009-11-09
    reporterAaron Sigel
    sourcehttps://www.exploit-db.com/download/33339/
    titleCUPS 'kerberos' Parameter Cross-Site Scripting Vulnerability
  • descriptionCUPS 'kerberos' Parameter Cross-Site Scripting Vulnerability. CVE-2009-2820. Remote exploits for multiple platform
    idEDB-ID:10001
    last seen2016-02-01
    modified2009-11-11
    published2009-11-11
    reporterAaron Sigel
    sourcehttps://www.exploit-db.com/download/10001/
    titleCUPS 'kerberos' Parameter Cross-Site Scripting Vulnerability

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-006.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied. This security update contains fixes for the following products : - AFP Client - Adaptive Firewall - Apache - Apache Portable Runtime - ATS - Certificate Assistant - CoreGraphics - CUPS - Dictionary - DirectoryService - Disk Images - Event Monitor - fetchmail - FTP Server - Help Viewer - International Components for Unicode - IOKit - IPSec - libsecurity - libxml - OpenLDAP - OpenSSH - PHP - QuickDraw Manager - QuickLook - FreeRADIUS - Screen Sharing - Spotlight - Subversion
    last seen2020-06-01
    modified2020-06-02
    plugin id42433
    published2009-11-09
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42433
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-006)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if (NASL_LEVEL < 3000) exit(0);
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(42433);
      script_version("1.27");
    
      script_cve_id(
        "CVE-2007-5707",
        "CVE-2007-6698",
        "CVE-2008-0658",
        "CVE-2008-5161",
        "CVE-2009-0023",
        "CVE-2009-1191",
        "CVE-2009-1195",
        "CVE-2009-1574",
        "CVE-2009-1632",
        "CVE-2009-1890",
        "CVE-2009-1891",
        "CVE-2009-1955",
        "CVE-2009-1956",
        "CVE-2009-2408",
        "CVE-2009-2409",
        "CVE-2009-2411",
        "CVE-2009-2412",
        "CVE-2009-2414",
        "CVE-2009-2416",
        "CVE-2009-2666",
        "CVE-2009-2808",
        "CVE-2009-2818",
        "CVE-2009-2819",
        "CVE-2009-2820",
        "CVE-2009-2823",
        "CVE-2009-2824",
        "CVE-2009-2825",
        "CVE-2009-2826",
        "CVE-2009-2827",
        "CVE-2009-2828",
        "CVE-2009-2829",
        "CVE-2009-2831",
        "CVE-2009-2832",
        "CVE-2009-2833",
        "CVE-2009-2834",
        "CVE-2009-2837",
        "CVE-2009-2838",
        "CVE-2009-2839",
        "CVE-2009-2840",
        "CVE-2009-3111",
        "CVE-2009-3291",
        "CVE-2009-3292",
        "CVE-2009-3293"
      );
      script_bugtraq_id(
        26245,
        27778,
        34663,
        35115,
        35221,
        35251,
        35565,
        35623,
        35888,
        35983,
        36263,
        36449,
        36959,
        36961,
        36962,
        36963,
        36964,
        36966,
        36967,
        36972,
        36973,
        36975,
        36977,
        36978,
        36979,
        36982,
        36985,
        36988,
        36990
      );
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-006)");
      script_summary(english:"Check for the presence of Security Update 2009-006");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is running a version of Mac OS X 10.5 that does not
    have Security Update 2009-006 applied.
    
    This security update contains fixes for the following products :
    
      - AFP Client
      - Adaptive Firewall
      - Apache
      - Apache Portable Runtime
      - ATS
      - Certificate Assistant
      - CoreGraphics
      - CUPS
      - Dictionary
      - DirectoryService
      - Disk Images
      - Event Monitor
      - fetchmail
      - FTP Server
      - Help Viewer
      - International Components for Unicode
      - IOKit
      - IPSec
      - libsecurity
      - libxml
      - OpenLDAP
      - OpenSSH
      - PHP
      - QuickDraw Manager
      - QuickLook
      - FreeRADIUS
      - Screen Sharing
      - Spotlight
      - Subversion"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://support.apple.com/kb/HT3937"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://www.securityfocus.com/advisories/18255"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install Security Update 2009-006 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(16, 20, 79, 119, 189, 200, 255, 264, 310, 399);
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/09");
      script_cvs_date("Date: 2018/07/16 12:48:31");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
    
      exit(0);
    }
    
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    
    pat = "^.+Darwin.* ([0-9]+\.[0-9.]+).*$";
    if (!ereg(pattern:pat, string:uname)) exit(1, "Can't identify the Darwin kernel version from the uname output ("+uname+").");
    
    darwin = ereg_replace(pattern:pat, replace:"\1", string:uname);
    if (ereg(pattern:"^(9\.[0-8]\.)", string:darwin))
    {
      packages = get_kb_item("Host/MacOSX/packages/boms");
      if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing.");
    
      if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[6-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages))
        exit(0, "The host has Security Update 2009-006 or later installed and therefore is not affected.");
      else
        security_hole(0);
    }
    else exit(0, "The host is running Darwin kernel version "+darwin+" and therefore is not affected.");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1933.NASL
    descriptionAaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks.
    last seen2020-06-01
    modified2020-06-02
    plugin id44798
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44798
    titleDebian DSA-1933-1 : cups - missing input sanitising
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1933. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44798);
      script_version("1.10");
      script_cvs_date("Date: 2019/08/02 13:32:22");
    
      script_cve_id("CVE-2009-2820");
      script_bugtraq_id(36958);
      script_xref(name:"DSA", value:"1933");
    
      script_name(english:"Debian DSA-1933-1 : cups - missing input sanitising");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Aaron Siegel discovered that the web interface of cups, the Common
    UNIX Printing System, is prone to cross-site scripting attacks."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2009/dsa-1933"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the cups packages.
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 1.2.7-4+etch9.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 1.3.8-1+lenny7."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(79);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"cupsys", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-bsd", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-client", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-common", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-dbg", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsimage2", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsimage2-dev", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsys2", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsys2-dev", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsys2-gnutls10", reference:"1.2.7-4+etch9")) flag++;
    if (deb_check(release:"5.0", prefix:"cups", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cups-bsd", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cups-client", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cups-common", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cups-dbg", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cupsys", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cupsys-bsd", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cupsys-client", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cupsys-common", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"cupsys-dbg", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"libcups2", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"libcups2-dev", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"libcupsimage2", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"libcupsimage2-dev", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"libcupsys2", reference:"1.3.8-1+lenny7")) flag++;
    if (deb_check(release:"5.0", prefix:"libcupsys2-dev", reference:"1.3.8-1+lenny7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_CUPS-091104.NASL
    descriptionThe cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820).
    last seen2020-06-01
    modified2020-06-02
    plugin id42472
    published2009-11-12
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42472
    titleopenSUSE Security Update : cups (cups-1506)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_CUPS-091204.NASL
    descriptionThe cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820). A use-after-free problem in cupsd allowed remote attackers to crash the cups server (CVE-2009-3553).
    last seen2020-06-01
    modified2020-06-02
    plugin id43107
    published2009-12-11
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43107
    titleopenSUSE Security Update : cups (cups-1650)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_6_2.NASL
    descriptionThe remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.2. Mac OS X 10.6.2 contains security fixes for the following products : - Adaptive Firewall - Apache - Apache Portable Runtime - Certificate Assistant - CoreMedia - CUPS - Dovecot - fetchmail - file - FTP Server - Help Viewer - ImageIO - IOKit - IPSec - Kernel - Launch Services - libsecurity - libxml - Login Window - OpenLDAP - QuickDraw Manager - QuickTime - Screen Sharing - Subversion
    last seen2020-06-01
    modified2020-06-02
    plugin id42434
    published2009-11-09
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42434
    titleMac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-10891.NASL
    descriptionUpdated to 1.4.2 including XSS security fix (CVE-2009-2820). Fixed improper reference counting in abstract file descriptors handling interface (CVE-2009-3553). Fixed admin.cgi crash when modifying a class. Fix cups-lpd to create unique temporary data files. Pass through serial parameters correctly in web interface. Set the PRINTER_IS_SHARED variable for admin.cgi Fix removing files with lprm. Fixed German translation. Fixed PostScript errors with number-up handling. Fixed lspp-patch to avoid memory leak. Upstream fix for GNU TLS error handling bug. Reset SIGPIPE handler for child processes. Fixed typo in admin web template. Fixed incorrect handling of out-of-memory when loading jobs. Fixed wrong driver reported in web interface. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id42935
    published2009-12-01
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42935
    titleFedora 11 : cups-1.4.2-7.fc11 (2009-10891)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-856-1.NASL
    descriptionAaron Sigel discovered that the CUPS web interface incorrectly protected against cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. If an authenticated user were tricked into visiting a malicious website while logged into CUPS, a remote attacker could modify the CUPS configuration and possibly steal confidential data. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id42466
    published2009-11-11
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42466
    titleUbuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : cups, cupsys vulnerability (USN-856-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-11062.NASL
    descriptionThis fixes CVE-2009-2820, an XSS vulnerability in the web interface. This also updates cups to the latest stable release on the 1.3 branch, and fixes a problem with number-up handling. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id42965
    published2009-12-02
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42965
    titleFedora 10 : cups-1.3.11-2.fc10 (2009-11062)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1595.NASL
    descriptionUpdated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id67076
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67076
    titleCentOS 5 : cups (CESA-2009:1595)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1595.NASL
    descriptionFrom Red Hat Security Advisory 2009:1595 : Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id67961
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67961
    titleOracle Linux 5 : cups (ELSA-2009-1595)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-073.NASL
    descriptionMultiple vulnerabilities has been found and corrected in cups : CUPS in does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product
    last seen2020-06-01
    modified2020-06-02
    plugin id45530
    published2010-04-15
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45530
    titleMandriva Linux Security Advisory : cups (MDVSA-2010:073-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_CUPS-091104.NASL
    descriptionThe cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820).
    last seen2020-06-01
    modified2020-06-02
    plugin id42471
    published2009-11-12
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42471
    titleopenSUSE Security Update : cups (cups-1506)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_CUPS-091104.NASL
    descriptionThe cups web interface was prone to Cross-Site Scripting (XSS) problems. (CVE-2009-2820)
    last seen2020-06-01
    modified2020-06-02
    plugin id42473
    published2009-11-12
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42473
    titleSuSE 11 Security Update : CUPS (SAT Patch Number 1504)
  • NASL familyMisc.
    NASL idCUPS_1_4_2.NASL
    descriptionAccording to its banner, the version of CUPS installed on the remote host is earlier than 1.4.2. The
    last seen2020-06-01
    modified2020-06-02
    plugin id42468
    published2009-11-11
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42468
    titleCUPS < 1.4.2 kerberos Parameter XSS
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1595.NASL
    descriptionUpdated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id42850
    published2009-11-19
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42850
    titleRHEL 5 : cups (RHSA-2009:1595)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-11314.NASL
    descriptionNew release, including fix for XSS vulnerability in web interface (CVE-2009-2820) and for improper reference counting in abstract file descriptors handling interface (CVE-2009-3553). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id42936
    published2009-12-01
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42936
    titleFedora 12 : cups-1.4.2-7.fc12 (2009-11314)

Oval

accepted2013-04-29T04:18:21.008-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
description and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.
familyunix
idoval:org.mitre.oval:def:9153
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.
version18

Redhat

advisories
rhsa
idRHSA-2009:1595
rpms
  • cups-1:1.3.7-11.el5_4.4
  • cups-debuginfo-1:1.3.7-11.el5_4.4
  • cups-devel-1:1.3.7-11.el5_4.4
  • cups-libs-1:1.3.7-11.el5_4.4
  • cups-lpd-1:1.3.7-11.el5_4.4

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 36956 CVE ID: CVE-2009-2808,CVE-2009-2810,CVE-2009-2818,CVE-2009-2819,CVE-2009-2820,CVE-2009-2823,CVE-2009-2824,CVE-2009-2825,CVE-2009-2826,CVE-2009-2827,CVE-2009-2828,CVE-2009-2829,CVE-2009-2830,CVE-2009-2831,CVE-2009-2832,CVE-2009-2833,CVE-2009-2834,CVE-2009-2835,CVE-2009-2837,CVE-2009-2838,CVE-2009-2839,CVE-2009-2840 Mac OS X是苹果家族机器所使用的操作系统。 Apple 2009-006安全更新修复了Mac OS X中的多个安全漏洞,本地或远程攻击者可能利用这些漏洞导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2009-2808 Help Viewer没有使用HTTPS查看Apple Help内容,本地网络中的用户可以发送包含有恶意help:runscript链接的伪造HTTP响应。 CVE-2009-2810 在调用Launch服务打开被隔离的文件夹时会递归的清除文件夹中文件的隔离信息,而被清除的隔离信息用户在打开项之前触发用户警告。这可能允许在没有警告对话框的情况下启动不安全的项,如应用程序。 CVE-2009-2818 自适应防火墙通过创建临时规则限制访问来响应可疑行为,如大量的访问尝试。在某些环境下,自适应防火墙可能无法检测使用无效用户名的SSH登录尝试。 CVE-2009-2819 AFP客户端中存在多个内存破坏漏洞,连接到恶意的AFP服务器可能导致系统意外终止或以系统权限执行任意代码。 CVE-2009-2820 CUPS中的漏洞可能导致跨站脚本和HTTP响应拆分,访问恶意网页或URL可能允许攻击者通过CUPS web接口访问本地用户可用的内容,包括打印系统配置和已打印任务的标题。 CVE-2009-2823 Apache Web服务器允许TRACE HTTP方式,远程攻击者可以利用这个工具通过某些Web客户端软件执行跨站脚本攻击。 CVE-2009-2824 Apple类型服务处理嵌入式字体的方式存在多个缓冲区溢出,查看或下载包含有恶意嵌入式字体的文档可能导致执行任意代码。 CVE-2009-2825 在处理CN字段中包含有空字符的SSL证书时存在错误,用户可能被误导接受外观类似于匹配用户所访问域的特制证书。 CVE-2009-2826 CoreGraphics处理PDF文件存在多个可导致堆溢出的整数溢出,打开恶意PDF文件可能导致应用程序意外终止或执行任意代码。 CVE-2009-2827 处理包含有FAT文件系统的磁盘镜像时存在堆溢出,下载恶意的磁盘镜像可能导致应用程序意外终止或执行任意代码。 CVE-2009-2828 DirectoryService中的内存破坏漏洞可能导致应用程序意外终止或执行任意代码。 CVE-2009-2829 Event Monitor中存在日志注入漏洞,通过特制认证信息连接到SSH服务器就可以导致日志注入。当其他服务处理日志数据时这可能导致拒绝服务。 CVE-2009-2830 文件命令行工具中存在多个缓冲区溢出漏洞,对恶意的CDF文件运行文件命令可能导致应用程序意外终止或执行任意代码。 CVE-2009-2831 Dictionary中的设计错误允许恶意的Javascript向用户文件系统的任意位置写入任意数据,这可能允许本地网络中的其他用户在用户系统上执行任意代码。 CVE-2009-2832 FTP服务器的CWD命令行工具中存在缓冲区溢出,对深层嵌套的目录结构发布CWD命令可能导致应用程序意外终止或执行任意代码。 CVE-2009-2833 UCCompareTextDefault API中的缓冲区溢出可能导致应用程序意外终止或执行任意代码。 CVE-2009-2834 非特权用户可以更改附带的USB或蓝牙Apple键盘的固件。 CVE-2009-2835 内核处理任务状态段存在多个输入验证问题,可能允许本地用户导致信息泄露、系统意外关机或执行任意代码。 CVE-2009-2837 QuickDraw处理PICT图形存在堆溢出,打开恶意的PICT图形可能导致应用程序意外终止或执行任意代码。 CVE-2009-2838 QuickLook处理Microsoft Office文件存在整数溢出,下载恶意的Microsoft Office文件可能导致应用程序意外终止或执行任意代码。 CVE-2009-2839 Screen Sharing客户端存在多个内存破坏漏洞,通过打开vnc:// URL访问恶意的VNC服务器可能导致应用程序意外终止或执行任意代码。 CVE-2009-2840 Spotlight处理临时文件的方式存在不安全的文件操作,可能允许本地用户以其他用户的权限覆盖文件。 Apple Mac OS X &lt; 10.6.2 Apple MacOS X Server &lt; 10.6.2 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/support/downloads/
    idSSV:12599
    last seen2017-11-19
    modified2009-11-10
    published2009-11-10
    reporterRoot
    titleApple Mac OS X 2009-006更新修复多个安全漏洞
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:12618
    last seen2017-11-19
    modified2009-11-11
    published2009-11-11
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-12618
    titleNew cups packages fix cross-site scripting
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:12619
    last seen2017-11-19
    modified2009-11-11
    published2009-11-11
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-12619
    titleCUPS vulnerability
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 36958 CVE ID: CVE-2009-2820 Common Unix Printing System(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务。 CUPS没有正确地处理HTTP头和HTML模板,远程攻击者可以通过产品的web界面、打印系统的配置和打印任务的标题提交恶意kerberos参数,执行跨站脚本或HTTP响应拆分攻击。 Easy Software Products CUPS 1.4.x Easy Software Products CUPS 1.3.x 厂商补丁: Easy Software Products ---------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.cups.org/strfiles/3367/security-1.4v2.patch http://www.cups.org/strfiles/3367/security-1.3v2.patch Sun --- Sun已经为此发布了一个安全公告(Sun-Alert-6893187)以及相应补丁: Sun-Alert-6893187:Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS) Web Interface in OpenSolaris May Lead to Cross-Site Scripting (XSS) and HTTP Response Splitting Attacks 链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-271169-1
    idSSV:12663
    last seen2017-11-19
    modified2009-11-18
    published2009-11-18
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-12663
    titleCUPS kerberos参数跨站脚本漏洞