2007-04-13 15:03:34 |
Amnon Aaronsohn |
bug |
|
|
added bug |
2007-04-13 17:51:15 |
Brian Murray |
cupsys: status |
Unconfirmed |
Needs Info |
|
2007-04-13 17:51:15 |
Brian Murray |
cupsys: assignee |
|
brian-murray |
|
2007-04-13 17:51:15 |
Brian Murray |
cupsys: statusexplanation |
|
Thanks for taking the time to report this bug and helping to make Ubuntu better. With which version of cupsys and Ubuntu did you notice this? Thanks in advance. |
|
2007-05-17 00:58:52 |
Kees Cook |
cupsys: status |
Needs Info |
Confirmed |
|
2007-05-17 00:58:52 |
Kees Cook |
cupsys: importance |
Undecided |
Low |
|
2007-05-17 00:58:52 |
Kees Cook |
cupsys: statusexplanation |
Thanks for taking the time to report this bug and helping to make Ubuntu better. With which version of cupsys and Ubuntu did you notice this? Thanks in advance. |
Yes, this is a design flaw in how CUPS handles its URLs. As described, I think this is a only a minor issue, since the printer name must be known, and no attacker-input is used (it prints the pre-configured test page, and not text that the attacker can control). However, further investigation into CUPS is needed, in case there are additional vectors.
|
|
2007-05-17 00:58:52 |
Kees Cook |
cupsys: assignee |
brian-murray |
keescook |
|
2007-05-17 00:59:37 |
Kees Cook |
title |
[feisty] web vulnerability |
[feisty] CSRF allows test page printing |
|
2007-07-19 20:37:14 |
Kees Cook |
cupsys: assignee |
keescook |
|
|
2007-07-19 20:37:14 |
Kees Cook |
cupsys: statusexplanation |
Yes, this is a design flaw in how CUPS handles its URLs. As described, I think this is a only a minor issue, since the printer name must be known, and no attacker-input is used (it prints the pre-configured test page, and not text that the attacker can control). However, further investigation into CUPS is needed, in case there are additional vectors.
|
|
|
2013-06-06 15:09:23 |
Phillip Susi |
cupsys (Ubuntu): status |
Confirmed |
Invalid |
|