Vigil@nce: CUPS, Host header not checked
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
The CUPS server does not check the Host header of HTTP headers,
which can be used by an attacker to setup a DNS rebinding attack.
Severity: 1/4
Consequences: data reading
Provenance: internet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/04/2009
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
A "DNS rebinding" attack has the objective to force the web
browser to connect to a server different than the one which
provided the HTML document. This vulnerability (described in
VIGILANCE-VUL-7237 (https://vigilance.fr/tree/1/7237)) can for
example be used to scan ports or to obtain information without
going through the firewall.
Most modern web browsers implement protections for this attack.
To protect web servers, they have to check the Host header of the
HTTP protocol. However, the web server of CUPS does not check the
Host header.
In the case where the victim does not use a modern web browser, an
attacker can therefore force his browser to connect to the CUPS
server in order to achieve operations on the behalf of the user.
CHARACTERISTICS
Identifiers: BID-34665, CVE-2009-0164, FEDORA-2009-3753,
FEDORA-2009-3769, VIGILANCE-VUL-8668
http://vigilance.fr/vulnerability/CUPS-Host-header-not-checked-8668