CVE-2015-1159
published 2015-06-26CVE-2015-1159: Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to…
PriorityP427medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
7.30%
93.6th percentile
Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.2-0ubuntu1.6 | 1.7.2-0ubuntu1.6 |
| apple | os_x_yosemite_v10.10.3_and_security_update_2015-004 | — | — |
| cups | cups | <= 2.0.2 | — |
| debian | cups | < cups 1.7.5-12 (bookworm) | cups 1.7.5-12 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search↗
- →Detect HTTP GET requests to the CUPS web interface at /help/ containing a QUERY parameter that begins with URL-encoded '<a href="' (i.e., %3Ca%20href%3D%22 or similar) — this is the specific XSS injection vector for CVE-2015-1159. ↗
- →Monitor HTTP requests to CUPS port 631 /help/ endpoint with QUERY parameter values containing URL-encoded script tags or HTML injection payloads (e.g., %3Cscript%3E). ↗
- →The XSS payload uses an open HTML comment string '<!--' to avoid parse errors; look for QUERY parameters containing %3C!-- or <!-- in requests to /help/. ↗
- →The exploit also leverages IPP_CREATE_JOB or IPP_PRINT_JOB requests with a multi-value 'job-originating-host-name' attribute to trigger a use-after-free (CVE-2015-1158) as a precursor; monitor for IPP requests with abnormally high numbers of 'job-originating-host-name' values. ↗
- →The vulnerable code path is in cgi_puts() within cgi-bin/template.c; the flaw is that values starting with '<a href="' bypass HTML escaping of double-quotes, allowing attribute injection. ↗
- ·The XSS is reachable in the default CUPS configuration for Linux, where the scheduler is bound to localhost/loopback — an attacker can exploit this to bypass that binding restriction. ↗
- ·CUPS 2.0.3+ mitigates future similar bugs by blocking LD_* and DYLD_* environment variables when running as root, and removing the localhost listener when 'WebInterface' is disabled (2.1 beta). ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv10.0CRITICAL
vendor_ubuntu10.0CRITICAL
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pmc2-2vx8-fmwf: Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template
ghsa_unreviewed·2022-05-17
CVE-2015-1159 [MEDIUM] CWE-79 GHSA-pmc2-2vx8-fmwf: Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template
Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.
OSV
CVE-2015-1159: Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template
osv·2015-06-26·CVSS 4.3
CVE-2015-1159 [MEDIUM] CVE-2015-1159: Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template
Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.
OSV
cups vulnerabilities
osv·2015-06-10·CVSS 10.0
CVE-2015-1158 [CRITICAL] cups vulnerabilities
cups vulnerabilities
It was discovered that CUPS incorrectly handled reference counting when
handling localized strings. A remote attacker could use this issue to
escalate permissions, upload a replacement CUPS configuration file, and
execute arbitrary code. (CVE-2015-1158)
It was discovered that the CUPS templating engine contained a cross-site
scripting issue. A remote attacker could use this issue to bypass default
configuration settings. (CVE-2015-1159)
Project0
Owning Internet Printing - A Case Study in Modern Software Exploitation - Project Zero
project_zero·2015-06-01·CVSS 10.0
CVE-2015-1158 [CRITICAL] Owning Internet Printing - A Case Study in Modern Software Exploitation - Project Zero
Guest posted by Neel Mehta ([email protected]) - June 19th, 2015
Abstract
Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.
Despite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available f
Red Hat
cups: cross-site scripting flaw in CUPS web UI (VU#810572)
vendor_redhat·2015-06-10·CVSS 4.3
CVE-2015-1159 [MEDIUM] CWE-79 cups: cross-site scripting flaw in CUPS web UI (VU#810572)
cups: cross-site scripting flaw in CUPS web UI (VU#810572)
Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.
A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.
Statement: This issue affects the version of cups package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Important security impact and is not currently planned to
Ubuntu
CUPS vulnerabilities
vendor_ubuntu·2015-06-10·CVSS 10.0
CVE-2015-1158 [CRITICAL] CUPS vulnerabilities
Title: CUPS vulnerabilities
Summary: Several security issues were fixed in CUPS.
It was discovered that CUPS incorrectly handled reference counting when
handling localized strings. A remote attacker could use this issue to
escalate permissions, upload a replacement CUPS configuration file, and
execute arbitrary code. (CVE-2015-1158)
It was discovered that the CUPS templating engine contained a cross-site
scripting issue. A remote attacker could use this issue to bypass default
configuration settings. (CVE-2015-1159)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2015-1159: cups - Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/tem...
vendor_debian·2015·CVSS 4.3
CVE-2015-1159 [MEDIUM] CVE-2015-1159: cups - Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/tem...
Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.
Scope: local
bookworm: resolved (fixed in 1.7.5-12)
bullseye: resolved (fixed in 1.7.5-12)
forky: resolved (fixed in 1.7.5-12)
sid: resolved (fixed in 1.7.5-12)
trixie: resolved (fixed in 1.7.5-12)
Apple
CVE-2015-1159: OS X Yosemite v10.10.3 and Security Update 2015-004
vendor_apple·CVSS 4.3
CVE-2015-1159 [MEDIUM] CVE-2015-1159: OS X Yosemite v10.10.3 and Security Update 2015-004
Apple Security Update: About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004
Product: OS X Yosemite v10.10.3 and Security Update 2015-004
CVE: CVE-2015-1159
Component: CVE-ID
No detection rules found.
Bugzilla
CVE-2015-1158 CVE-2015-1159 cups: various flaws [fedora-all]
bugzilla·2015-06-10·CVSS 10.0
CVE-2015-1158 [CRITICAL] CVE-2015-1158 CVE-2015-1159 cups: various flaws [fedora-all]
CVE-2015-1158 CVE-2015-1159 cups: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While onl
Bugzilla
CVE-2015-1159 cups: cross-site scripting flaw in CUPS web UI (VU#810572)
bugzilla·2015-05-14·CVSS 4.3
CVE-2015-1159 [MEDIUM] CVE-2015-1159 cups: cross-site scripting flaw in CUPS web UI (VU#810572)
CVE-2015-1159 cups: cross-site scripting flaw in CUPS web UI (VU#810572)
The following flaw was found in CUPS:
A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. This XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.
Acknowledgements:
Red Hat would like to thank the CERT/CC for reporting this issue.
Discussion:
Public via:
https://www.cups.org/str.php?L4609
---
Created cups tracking bugs for this issue:
Affects: fedora-all [bug 1229979]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via
Bugzilla
CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
bugzilla·2015-05-14·CVSS 10.0
CVE-2015-1158 [CRITICAL] CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
The following flaw was found in CUPS:
Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACLs protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine.
This bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print.
Acknowledgements:
Red Hat would like to thank the CERT/CC for reporting this issue.
Discussion:
Public via:
https://www.cups.org/str.
http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1123.htmlhttp://www.cups.org/blog.php?L1082http://www.debian.org/security/2015/dsa-3283http://www.kb.cert.org/vuls/id/810572http://www.securityfocus.com/bid/75106http://www.securitytracker.com/id/1032556http://www.ubuntu.com/usn/USN-2629-1https://bugzilla.opensuse.org/show_bug.cgi?id=924208https://bugzilla.redhat.com/show_bug.cgi?id=1221642https://code.google.com/p/google-security-research/issues/detail?id=455https://security.gentoo.org/glsa/201510-07https://www.cups.org/str.php?L4609http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1123.htmlhttp://www.cups.org/blog.php?L1082http://www.debian.org/security/2015/dsa-3283http://www.kb.cert.org/vuls/id/810572http://www.securityfocus.com/bid/75106http://www.securitytracker.com/id/1032556http://www.ubuntu.com/usn/USN-2629-1https://bugzilla.opensuse.org/show_bug.cgi?id=924208https://bugzilla.redhat.com/show_bug.cgi?id=1221642https://code.google.com/p/google-security-research/issues/detail?id=455https://security.gentoo.org/glsa/201510-07https://www.cups.org/str.php?L4609
2015-06-26
Published