Your submission was sent successfully! Close

CVE-2009-0164

Published: 24 April 2009

The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.

Priority

Low

Status

Package Release Status
cups
Launchpad, Ubuntu, Debian
dapper Does not exist

gutsy Does not exist

hardy Does not exist

intrepid Ignored

jaunty Ignored

karmic Not vulnerable
(1.4.1-1)
upstream
Released (1.3.10)
cupsys
Launchpad, Ubuntu, Debian
dapper Ignored

gutsy Ignored

hardy Ignored

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

upstream Needs triage

Notes

AuthorNote
kees
cups/CVE-2009-0164.patch
jdstrand
patch is large, could break existing configurations if the
auto-discovery of alternate names does not work (eg, with CNAMES), and
requires a coordinated attack. The vulnerability appears to be mostly
information leakage, but might also allow starting and stopping of
printers. An attacker trying to perform actions via the web interface should
be challenged by the authentication system. The new ServerAlias directive
will be a part of 1.3.10.

References