|
|
Common Security Questions
Does PaperCut store any passwords?
User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exception to this rule is the built-in admin user account. This password is stored in a one-way salted hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.
What level of encryption does PaperCut use?
Client-server communication of sensitive data is conducted over an SSL link - this is an equivalent level of encryption to that used by a web browser connected on an https:// website.
Does PaperCut use HtmlOnly secured cookies?
Yes. As of version 11.2 all session ID information stored in copies are marked as HtmlOnly to help mitigate the risk associated with some XSS attacks.
Can I open port 9191/9192 to the world?
Best practice suggests not exposing any services to the Internet unless required. Having said that, we have designed PaperCut to be secure and with the intention of our users opening the HTTPS port 9192 to the Internet to facilitate services such as:
- Remote administration
- Allowing end-users to login from home to check balances and add credit/quota to their accounts
We have a number of large University/College sites that have opened up PaperCut's port to the Internet since 2005. It is recommended to open port 9192 (the SSL port) rather than the pain text port 9191.
How can I restrict access to the XML Web Service APIs?
Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the built-in admin user's password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server's IP address. Valid IP addresses/ranges are defined under the Options section.
I've run a security scanner across PaperCut and it's raised a warning. What does this mean?
PaperCut is in use in tens-of-thousands of organizations and many of them use various security analysis and scanning tools. If the issue raised is marked as "high", please raise these with our support team. Many of these systems raise issues not pertinent to PaperCut and it's print management application, however we like to assess all on a case-by-case basis and will let you know if your developers think they require action.
Is PaperCut certified under security standard XYZ?
Formal security certification is a new and emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut's security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don't have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).
Is PaperCut PCI Certified?
PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers "hosted pay page" and credit card details are entered on their website directly.
Is PaperCut susceptible to SQL Injection attacks?
No. All database queries in PaperCut are developed using parameterized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.
Tell me about your security development practices?
More information here: Tell me about PaperCut's security
See also
Categories: Implementation / Deployment, Architecture, Security
Comments
Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.