Comment 4 for bug 106245
Revision history for this message
| Amnon Aaronsohn (bla-cs) wrote Re: [Bug 106245] Re: [feisty] web vulnerability | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On 4/16/07, Martin Pitt <email address hidden> wrote:
> Please elaborate about this. By default, cupsd only listens on
> localhost. Local users can do printing operations much easier.
cupsd listens on localhost but remote web pages can make the browser
access it, , as in the example above. Note that the remote web server
doesn't contact cupsd, the locally running web browser does, without
user intervention.
Even if you enable cupsd to listen on all ports, you probably don't
want remote web pages to execute commands which require
authentication, but AFAIK this attack can also work for this commands
since the browser will send the credentials if they're cached.
This can be considered a simple case of CSRF
(http://
BTW, I'm not sure if the URL always contains the printer's model (as
in my configuration) or some other simple name. To reproduce the bug
you may have to browse first to localhost:631 and copy the URL for a
command into the html code. (The remote attacker doesn't have to do
this if he can guess the URL).