Summary
When the AuthType is set to anything but Basic, if the request contains an Authorization: Basic ... header, the password is not checked.
Details
When the Authorization header is set to Basic, but in scheduler/auth.c cupsdAuthorize type is not CUPSD_AUTH_BASIC, the step with checking the password is skipped.
PoC
- Configure CUPS with
DefaultAuthType Negotiate.
- Start CUPS
- Send a request to CUPS with
Authorization: Basic $(echo -n admin:x | base64), where admin is an administrator username and x is literally the string x.
Impact
Authentication bypass. Any configuration that allows an AuthType that is not Basic is affected.
hvenev-insait Reporter
Summary
When the
AuthTypeis set to anything butBasic, if the request contains anAuthorization: Basic ...header, the password is not checked.Details
When the
Authorizationheader is set toBasic, but inscheduler/auth.ccupsdAuthorizetypeis notCUPSD_AUTH_BASIC, the step with checking the password is skipped.PoC
DefaultAuthType Negotiate.Authorization: Basic $(echo -n admin:x | base64), whereadminis an administrator username andxis literally the stringx.Impact
Authentication bypass. Any configuration that allows an
AuthTypethat is notBasicis affected.