Your submission was sent successfully! Close

CVE-2009-0164

Published: 24 April 2009

The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.

Priority

Low

Status

Package Release Status
cups
Launchpad, Ubuntu, Debian
Upstream
Released (1.3.10)
cupsys
Launchpad, Ubuntu, Debian
Upstream Needs triage

Notes

AuthorNote
kees
cups/CVE-2009-0164.patch
jdstrand
patch is large, could break existing configurations if the
auto-discovery of alternate names does not work (eg, with CNAMES), and
requires a coordinated attack. The vulnerability appears to be mostly
information leakage, but might also allow starting and stopping of
printers. An attacker trying to perform actions via the web interface should
be challenged by the authentication system. The new ServerAlias directive
will be a part of 1.3.10.

References