CUPS Web Interface Information Disclosure Vulnerability

2015年7月21日

危険度: : 中

CVE識別番号: CVE-2010-1748

概要

The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstrated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs.

トレンドマイクロの対策

Apply associated Trend Micro DPI Rules.

対応方法

Trend Micro Deep Security DPI Rule Number: 1004273

Trend Micro Deep Security DPI Rule Name: 1004273 - CUPS Web Interface Information Disclosure Vulnerability

影響を受けるソフトウェア

Apple CUPS 1.1
Apple CUPS 1.1.1
Apple CUPS 1.1.10
Apple CUPS 1.1.10-1
Apple CUPS 1.1.11
Apple CUPS 1.1.12
Apple CUPS 1.1.13
Apple CUPS 1.1.14
Apple CUPS 1.1.15
Apple CUPS 1.1.16
Apple CUPS 1.1.17
Apple CUPS 1.1.18
Apple CUPS 1.1.19
Apple CUPS 1.1.2
Apple CUPS 1.1.20
Apple CUPS 1.1.21
Apple CUPS 1.1.22
Apple CUPS 1.1.23
Apple CUPS 1.1.3
Apple CUPS 1.1.4
Apple CUPS 1.1.5
Apple CUPS 1.1.5-1
Apple CUPS 1.1.5-2
Apple CUPS 1.1.6
Apple CUPS 1.1.6-1
Apple CUPS 1.1.6-2
Apple CUPS 1.1.6-3
Apple CUPS 1.1.7
Apple CUPS 1.1.8
Apple CUPS 1.1.9
Apple CUPS 1.1.9-1
Apple CUPS 1.2
Apple CUPS 1.2.0
Apple CUPS 1.2.1
Apple CUPS 1.2.10
Apple CUPS 1.2.11
Apple CUPS 1.2.12
Apple CUPS 1.2.2
Apple CUPS 1.2.3
Apple CUPS 1.2.5
Apple CUPS 1.2.6
Apple CUPS 1.2.7
Apple CUPS 1.2.8
Apple CUPS 1.2.9
Apple CUPS 1.3
Apple CUPS 1.3.0
Apple CUPS 1.3.1
Apple CUPS 1.3.10
Apple CUPS 1.3.11
Apple CUPS 1.3.2
Apple CUPS 1.3.3
Apple CUPS 1.3.4
Apple CUPS 1.3.5
Apple CUPS 1.3.6
Apple CUPS 1.3.7
Apple CUPS 1.3.8
Apple CUPS 1.3.9
Apple CUPS 1.4.0
Apple CUPS 1.4.1
Apple CUPS 1.4.2
Apple CUPS 1.4.3
apple cups 1.2.4