[cups.bugs] [LOW] STR #2698: Cross-site request forgery in CUPS HTTP-commands

Michael Sweet msweet at apple.com
Mon Feb 4 13:21:11 PST 2008


[STR Closed w/Resolution]

Dupe of STR #2385. The CUPS 1.4 web interface uses POSTs for all actions;
prior releases will *not* be updated due to the limited scope of the
problem (test pages).

Referrer is unreliable (can be spoofed), as are most cookies and random
POST variables since they are vulnerable to man-in-the-middle attacks.

Ultimately, browsers need to protect against non-local pages accessing
local resources, whether via links or Javascript.

Link: http://www.cups.org/str.php?L2698
Version: 1.2.12
Fix Version: 1.4-current (r6889)





More information about the cups mailing list