Published: 24 April 2009
The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.
patch is large, could break existing configurations if the auto-discovery of alternate names does not work (eg, with CNAMES), and requires a coordinated attack. The vulnerability appears to be mostly information leakage, but might also allow starting and stopping of printers. An attacker trying to perform actions via the web interface should be challenged by the authentication system. The new ServerAlias directive will be a part of 1.3.10.