CUPS < 1.7.2 is_path_absolute Function XSS

2014-04-28T00:00:00
ID CUPS_1_7_2.NASL
Type nessus
Reporter Tenable
Modified 2018-07-06T00:00:00

Description

According to its banner, the version of CUPS installed on the remote host is prior to version 1.7.2. It is, therefore, affected by a cross-site scripting vulnerability.

A flaw exists with the is_path_absolute function within the scheduler/client.cscript. This could allow a context-dependent attacker, with a specially crafted request, to execute arbitrary script code within the browser and server trust relationship.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(73734);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/06 11:26:07");

  script_cve_id("CVE-2014-2856");
  script_bugtraq_id(66788);

  script_name(english:"CUPS < 1.7.2 is_path_absolute Function XSS");
  script_summary(english:"Checks CUPS server version");

  script_set_attribute(attribute:"synopsis", value:
"The remote print service is affected by a cross-site scripting
vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of CUPS installed on the remote
host is prior to version 1.7.2. It is, therefore, affected by a
cross-site scripting vulnerability.

A flaw exists with the is_path_absolute function within the
scheduler/client.cscript. This could allow a context-dependent
attacker, with a specially crafted request, to execute arbitrary
script code within the browser and server trust relationship.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"http://www.cups.org/blog.php?L717");
  script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L4356");
  script_set_attribute(attribute:"see_also", value:"http://www.cups.org/strfiles.php/3268/str4356.patch");
  script_set_attribute(attribute:"solution", value:"Upgrade to CUPS version 1.7.2 or later, or apply the vendor patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/28");

  script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:cups");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl", "cups_1_3_5.nasl");
  script_require_keys("www/cups", "Settings/ParanoidReport");
  script_require_ports("Services/www", 631);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:631, embedded:TRUE);
get_kb_item_or_exit("www/"+port+"/cups/running");

version = get_kb_item_or_exit("cups/"+port+"/version");
source  = get_kb_item_or_exit("cups/"+port+"/source");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (version =~ "^(1|1\.7)($|[^0-9br.])") audit(AUDIT_VER_NOT_GRANULAR, "CUPS", port, version);

# Affected :
# < 1.7.2
if (
  version =~ "^1\.[0-6]($|[^0-9.])" ||
  version =~ "^1\.7\.[01]($|[^0-9.])" ||
  version =~ "^1\.7(rc|b)"
)
{
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + source +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 1.7.2' +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "CUPS", port, version);