Several cross-site scripting (XSS) flaws were found in the way CUPS web
server interface used to process HTML form(s) content. A remote attacker
could provide a specially-crafted HTML page(s), which once visited, by
a local, unsuspecting user could lead to intended client-side security
mechanisms bypass or, potentially, to injecting of malicious scripts into
web pages, processed by CUPS web interface.
Red Hat would like to thank Aaron Sigel of Apple Product Security for
responsibly reporting this issue.
This issue does NOT affect the versions of the cups package, as shipped
with Red Hat Enterprise Linux 3 and 4.
This issue affects the version of the cups package, as shipped
with Red Hat Enterprise Linux 5.
Created attachment 365324 [details]
CVE-2009-2820-cups-1.3v2.patch from Aaron Sigel
Created attachment 365326 [details]
CVE-2009-2820-cups-1.4v2.patch from Aaron Sigel
This issue does not affect CUPS 1.1.x because it does not include the vulnerable admin page.
Created attachment 366865 [details]
It was reported that upstream patch breaks adding a class using the web interface. Following patch was proposed and is being reviewed upstream. It's possible this fix won't make it to upstream 1.4.2.
Now fixed in 1.4.2, which should also contain regression fix mentioned in comment #10:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2009:1595 https://rhn.redhat.com/errata/RHSA-2009-1595.html
cups-1.4.2-7.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.2-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.3.11-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.