[cups.bugs] [LOW] STR #2698: Cross-site request forgery in CUPS HTTP-commands
Mikhail Simvulidy
linux2.6 at gmail.com
Tue Feb 5 06:51:43 PST 2008
I can make a simple form that makes POST request from my page by
form.submit() to any site - not just only localhost, but also another
site, where you have authorized - no matter, using cookie or
HTTP-authentication. Even if that site uses HTTPS! I can perform any
action in your account, because my request would use your cookies or
HTTP-credentials. Referrer checking or random variables would solve
this problem since attacker can't change referrer in client's browser
and he can't see a value of that variable. Spoofing possibility of
HTTP is in completely different area. Again, on localhost and HTTPS
man-in-the-middle attacks do not exist.
2008/2/4, Michael Sweet <msweet at apple.com>:
>
> [STR Closed w/Resolution]
>
> Dupe of STR #2385. The CUPS 1.4 web interface uses POSTs for all actions;
> prior releases will *not* be updated due to the limited scope of the
> problem (test pages).
>
> Referrer is unreliable (can be spoofed), as are most cookies and random
> POST variables since they are vulnerable to man-in-the-middle attacks.
>
> Ultimately, browsers need to protect against non-local pages accessing
> local resources, whether via links or Javascript.
>
> Link: http://www.cups.org/str.php?L2698
> Version: 1.2.12
> Fix Version: 1.4-current (r6889)
>
>
More information about the cups
mailing list