Common Security Questions

KB Home   |   Common Security Questions

Main.CommonSecurityQuestions History

Hide minor edits - Show changes to markup

March 14, 2018, at 03:40 AM by Willem Groenewald -
Changed line 155 from:
  • PaperCut Security white paper
to:
  • PaperCut Security white paper
December 05, 2017, at 02:45 AM by peterf - Minor touch up
Changed line 145 from:

Furthermore, Web Print Servers running version 17.4.2 or later of PaperCut MF and PaperCut NG can disallow the execution of any embedded document macros. This is controlled with the web-print.disable-macros configuration key, accessible via the [https://www.papercut.com/products/ng/manual/common/topics/sys-config-editor.html|Config Editor]. This should minimise the possibility of document-borne attacks impacting your Web Print setup.

to:

Furthermore, Web Print Servers running version 17.4.2 or later of PaperCut MF and PaperCut NG can disallow the execution of any embedded document macros. This is controlled with the web-print.disable-macros configuration key, accessible via the Config Editor. This should minimise the possibility of document-borne attacks impacting your Web Print setup.

December 05, 2017, at 02:44 AM by peterf - Minor touch up
Changed line 145 from:

Furthermore, Web Print Servers running version 17.4.2 or later of PaperCut MF and PaperCut NG will disallow by default the execution of any embedded document macros. This should minimise the possibility of document-borne attacks impacting your Web Print setup.

to:

Furthermore, Web Print Servers running version 17.4.2 or later of PaperCut MF and PaperCut NG can disallow the execution of any embedded document macros. This is controlled with the web-print.disable-macros configuration key, accessible via the [https://www.papercut.com/products/ng/manual/common/topics/sys-config-editor.html|Config Editor]. This should minimise the possibility of document-borne attacks impacting your Web Print setup.

December 05, 2017, at 01:27 AM by peterf - Updated with new entry around Web Print security for 17.4.2
Added lines 140-145:

Q Configuring the Web Print feature to support Microsoft Office documents involves installing Office on my Web Print Server/s. Does the submission of documents that contain embedded macros present a security risk?

To establish support for Office documents, we recommend that Web Print be configured in “Sandbox Mode”. This partitions the running of the Web Print service off to one or more Web Print Servers; machines distinct from the key components of the PaperCut MF or PaperCut NG solution architecture, which are minimally configured and wholly dedicated to their task. By doing so, the opening and rendering of Office documents is contained to only these standalone servers, and if one of these machines is then compromised, only transient document data is potentially exposed. The afflicted Web Print Server can then be torn down and restored from a basic system image, removing the threat in the process.

Furthermore, Web Print Servers running version 17.4.2 or later of PaperCut MF and PaperCut NG will disallow by default the execution of any embedded document macros. This should minimise the possibility of document-borne attacks impacting your Web Print setup.

September 12, 2017, at 02:29 AM by peterf - Added three new sections to reflect recent security enhancements
Added lines 128-139:

Q Some areas of the user interface suggest that the software occasionally contacts PaperCut servers to retrieve information; for example, when I click to Check for updates on the About tab in the Admin web interface. Is this outbound communication performed securely?

In the past, contact to PaperCut servers to check for updates, send error reports on user command, or download news content was performed over regular HTTP. From version 17.2.3 forwards of PaperCut NG and PaperCut MF, all outbound contact is made using SSL over HTTPS, minimizing the risk of these communications being intercepted.

Q Does the application have protections against CSRF (Cross-Site Request Forgery) attacks?

A number of preventative measures against common CSRF attack vectors are implemented in PaperCut NG and PaperCut MF, seeking to ensure that an individual cannot modify HTTP request content in such a way that grants elevated access to system information or configuration. For example, as of version 17.3, header-based checks are enabled by default, validating the request origin by cross-checking the supplied origin and destination headers, and denying requests with unknown origin.

Q I’ve noticed that system error pages contain some diagnostic information. Is this anything to be concerned about?

Prior to version 17.3 of PaperCut NG and PaperCut MF, HTML error pages would provide some technical context for the error, in order to aid diagnosis of the cause. Amongst the context provided was basic system information, which for highly secure environments could be considered to be unnecessary exposure. From 17.3 onwards, PaperCut NG and PaperCut MF will default to only outputting stack trace data when generating these error pages, eliding any information which could be considered identifying.

August 22, 2017, at 11:28 PM by Geoff Smith - Update question Is PaperCut certified under security standard XYZ?
Changed lines 96-101 from:

Formal security certification is a new and emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).

to:

PaperCut is developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). We currently do not hold a formal security certification such as ISO 27001.

With the well justified increased industry focus on security PaperCut Software is continuously working to formalise our security practices:

  • Our Security Response Team (SRT) led by our Head of Development provides personalised and timely responses by our security specialists to any reported issues.
  • We work with external security consultants to audit our security policies and practices in general, as well as the specific technologies and architectures used to protect customer information in PaperCut NG and MF.
  • PaperCut customers and prospects are regularly PEN testing and auditing our software and we give high priority to fixing any vulnerabilities found.
August 01, 2017, at 08:58 PM by BrianL - Jeff @eco noticed this and let us know
Changed line 5 from:

Absolutely! We have pooled our knowledge and created a comprehensive Print Security whitepaper that will help you not only make the most of PaperCut’s security features, but also help you secure your entire print infrastructure. Take a look at: PaperCut Security white paper

to:

Absolutely! We have pooled our knowledge and created a comprehensive Print Security whitepaper that will help you not only make the most of PaperCut’s security features, but also help you secure your entire print infrastructure. Take a look at: PaperCut Security white paper

July 11, 2017, at 08:10 AM by peterf - Minor tweaks
Changed lines 118-119 from:

The EU General Data Protection Regulation (GDPR) mandates that users have a Right to Access all stored data associated with them, as well as the Right to be Forgotten; to have all identifiable data related to them which is stored by an organisation permanently removed upon request. As of version 17.2, we have implemented methods which empower an organisation to meet these requirements with respect to their print system. Understanding that total compliance with GDPR is of critical importance to organisations operating within the EU, we’ve also sought to ease the burden of transition by authoring a GDPR Compliance Guide to help you along the way!

to:

The EU General Data Protection Regulation (GDPR) mandates that users have a Right to Access all stored data associated with them, as well as the Right to be Forgotten; to have all identifiable data related to them which is stored by an organisation permanently removed upon request. This is a significant seachange, reflecting the ever-increasing emphasis placed on securing and protecting personal data within information systems.

As of version 17.2, we have implemented methods which empower an organisation to meet these requirements with respect to their print system. Understanding that total compliance with GDPR is of critical importance to organisations operating within the EU, we’ve also sought to ease the burden of transition by authoring a GDPR Compliance Guide to help you along the way!

Changed line 133 from:
  • https://www.papercut.com/kb/Main/GDPR
to:
  • General Data Protection Regulation (GDPR)
July 11, 2017, at 08:06 AM by peterf - Updating to reference GDPR for version 17.2
Added lines 116-121:

Q PaperCut NG and PaperCut MF stores information about my printing users… can the application be compliant with the EU General Data Protection Regulation (GDPR)?

The EU General Data Protection Regulation (GDPR) mandates that users have a Right to Access all stored data associated with them, as well as the Right to be Forgotten; to have all identifiable data related to them which is stored by an organisation permanently removed upon request. As of version 17.2, we have implemented methods which empower an organisation to meet these requirements with respect to their print system. Understanding that total compliance with GDPR is of critical importance to organisations operating within the EU, we’ve also sought to ease the burden of transition by authoring a GDPR Compliance Guide to help you along the way!

For further information, check out our Knowledge Base article on GDPR.

Added line 131:
  • https://www.papercut.com/kb/Main/GDPR
May 16, 2017, at 03:59 AM by peterf - Updated to reflect 17.1 release
Changed lines 67-70 from:

Q Does PaperCut use HtmlOnly secured cookies?

Yes. As of version 11.2 all session ID information stored in copies are marked as HtmlOnly to help mitigate the risk associated with some XSS attacks.

to:

Q Does PaperCut use Secure and HttpOnly secured cookies?

Yes. As of PaperCut NG and PaperCut MF 17.1, all session cookies generated for access attempts over secure connections are marked as both Secure and HtmlOnly in order to help mitigate a number of potential risks, such as certain styles of XSS attack, as well as the interception of secure session data improperly transmitted in cleartext.

Added lines 110-114:

Q Do PaperCut NG and PaperCut MF support the use of digital signatures for printed documents?

Our document watermarking functionality can be easily leveraged to inject a digital signature into every printed page. This signature is generated by combining key print job attributes (e.g. time of print, username, printer name, document name) with a secret key, using a cryptographic algorithm to create an encoded string which is unique for each document. Both the MD5 and SHA1 message digest algorithms are available to transform these elements into unique signature strings, allowing the degree of cryptographic security to be configured. The resulting signatures can be used to trace printed pages back to their users of origin, allowing you to follow-up undesired or unlawful transmission of classified content.

As of version 17.1 of PaperCut NG and PaperCut MF, watermarks can be applied across the full page, such that signatures are visible over the entire printed document. This renders the removal of a signature from the printed page impossible.

May 04, 2017, at 12:08 AM by Aaron Pouliot - Fixed line formatting.
Changed lines 27-28 from:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Instructions on how to customize which ciphers and protocols are used by PaperCut can be found here: https://www.papercut.com/kb/Main/SSLCipherConfiguration.

to:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Instructions on how to customize which ciphers and protocols are used by PaperCut can be found here: https://www.papercut.com/kb/Main/SSLCipherConfiguration.

May 04, 2017, at 12:07 AM by Aaron Pouliot -
Changed lines 27-29 from:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819).

More information on customizing which ciphers and protocols are used by PaperCut can be found here:

to:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Instructions on how to customize which ciphers and protocols are used by PaperCut can be found here:

May 04, 2017, at 12:03 AM by Aaron Pouliot - Moved redundant information on configuring SSL/TLS to SSL Cipher configuration KB
Changed lines 27-31 from:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Add the following line to your server.properties file and restart the application server:

server.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1

Take care and test thoroughly if you are running a fleet of MFD devices with PaperCut MF. Whilst some MFDs do not support all TLS versions, most will support TLS v1.0. It is possible that some older MFDs may require SSL 3.0 and the above configuration change will block HTTPS connections from these devices.

to:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819).

More information on customizing which ciphers and protocols are used by PaperCut can be found here: https://www.papercut.com/kb/Main/SSLCipherConfiguration.

March 23, 2017, at 06:14 AM by 139.130.165.134 -
Added lines 3-6:

Q Does PaperCut have a print security best practice checklist?

Absolutely! We have pooled our knowledge and created a comprehensive Print Security whitepaper that will help you not only make the most of PaperCut’s security features, but also help you secure your entire print infrastructure. Take a look at: PaperCut Security white paper

Changed line 123 from:
  • Securing your Print System - Print Security white paper
to:
  • PaperCut Security white paper
March 07, 2017, at 06:59 AM by 139.130.165.134 -
Added line 119:
  • Securing your Print System - Print Security white paper
April 12, 2016, at 12:03 PM by 109.147.66.152 -
Changed line 45 from:

Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - an MD5 sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

to:

Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - a BCrypt sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

June 04, 2015, at 04:31 AM by josh - added tls for version 15/dropped note requiring properties change
Changed lines 23-24 from:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using the latest PaperCut MF 14.2 build 28942, and also the PaperCut NG & MF 14.3 build (29819). Add the following line to your server.properties file and restart the application server:

to:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Add the following line to your server.properties file and restart the application server:

Deleted lines 26-27:

Note: Customers running PaperCut on TCP 443 via the server.enable-https-on-port-443 will need to obtain a special build from PaperCut Technical Support. You will need to reference internal ticket number 3811 when you get in touch.

March 23, 2015, at 01:51 PM by rossm - added Shellshock
Added lines 3-6:

Q Is PaperCut impacted by the Shellshock vulnerability?

We have detailed information on this subject on our dedicated GNU Bash Vulnerability page.

Changed lines 8-9 from:

Customers running versions prior to version 14 should upgrade their servers. The versions contain a more recent version of Java.

to:

Customers running versions prior to version 14 should upgrade their servers as these later versions contain a more recent version of Java.

Changed lines 102-103 from:

Our coding standard and design policies are designed to limit this type of attack. All database queries in PaperCut are developed using parametrized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.

to:

Our coding standard and design policies are designed to limit this type of attack. All database queries in PaperCut are developed using parameterized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.

March 11, 2015, at 01:52 AM by matt - more description about freak.
Changed lines 6-9 from:

PaperCut is not vulnerable to the SSL/TLS FREAK attack.

Customers running versions prior to version 14 should upgrade their servers.

to:

The “FREAK” attack allows a malicious man-in-the-middle to downgrade the strength of encryption used. This vulnerability applies to some SSL/TLS implementations. PaperCut uses recent versions of the Java platform which is not vulnerable to the FREAK attack.

Customers running versions prior to version 14 should upgrade their servers. The versions contain a more recent version of Java.

Changed lines 8-9 from:

PaperCut has tested and confirmed all versions 14.3 and higher are not vulnerable.

to:

Customers running versions prior to version 14 should upgrade their servers.

March 10, 2015, at 03:20 AM by matt - add FREAK attack
Added lines 3-9:

Q Is PaperCut affected by the SSL/TLS FREAK attack (CVE-2015–0204)?

PaperCut is not vulnerable to the SSL/TLS FREAK attack.

PaperCut has tested and confirmed all versions 14.3 and higher are not vulnerable.

March 04, 2015, at 10:52 PM by Alec - Added note about encrypted PINs
Added lines 38-39:

In addition PaperCut also encrypts all user’s Personal Identification Numbers used to secure card numbers.

Changed line 11 from:
to:
December 01, 2014, at 06:13 AM by 203.222.91.204 -
Changed lines 40-41 from:

Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system, and the PaperCut software does not collect nor send passwords over the network to any remote server, as this is handled by AD itself.

to:

Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system, and the PaperCut software does not collect passwords over the network to any remote server, as this is handled by AD itself.

December 01, 2014, at 06:13 AM by 203.222.91.204 -
Changed lines 40-41 from:

Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system and does not send passwords over the network to any remote server, as this is handled by AD itself.

to:

Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system, and the PaperCut software does not collect nor send passwords over the network to any remote server, as this is handled by AD itself.

December 01, 2014, at 06:12 AM by 203.222.91.204 -
Changed lines 38-39 from:

Q How does PaperCut send Active Directory authentication?

to:

Q How does PaperCut authenticate with Active Directory?

December 01, 2014, at 06:11 AM by 203.222.91.204 -
Added lines 38-43:

Q How does PaperCut send Active Directory authentication?

Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system and does not send passwords over the network to any remote server, as this is handled by AD itself.

PaperCut does not store any user passwords and instead interrogates the directory service in real-time, as caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts which is covered above.

Added line 3:

Changed lines 11-12 from:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using the latest PaperCut MF 14.2 build 28942, and also the PaperCut NG & MF 14.3 release (due out mid-Oct-2014). Add the following line to your server.properties file and restart the application server:

to:

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using the latest PaperCut MF 14.2 build 28942, and also the PaperCut NG & MF 14.3 build (29819). Add the following line to your server.properties file and restart the application server:

Added lines 15-16:

Note: Customers running PaperCut on TCP 443 via the server.enable-https-on-port-443 will need to obtain a special build from PaperCut Technical Support. You will need to reference internal ticket number 3811 when you get in touch.

Changed lines 18-19 from:

http://security.stackexchangeg.com/questions/70719/ssl3-poodle-vulnerability

to:

http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

Added lines 3-19:

Q Is PaperCut affected by the SSL 3.0 Poodle vulnerability (otherwise known as CVE-2014–3566)?

This vulnerability, nicknamed Poodle can provide a way for attackers to eavesdrop on HTTPS connections running over SSL 3.0. The typical scenario cited involves an attacker running a fake Wi-Fi hot-spot which injects javascript into a non-secure web page. This javascript proceeds to compromise a secure site running SSL 3.0 for which the browser holds a cookie. Unlike the recent HeartBleed vulnerability, Poodle does not expose the server to a standalone attack.

SSL 3.0 is an older protocol, now superseded by TLS. It will generally only be used when both the web server and the client cannot use a more recent TLS protocol. These days, this scenario is becoming less and less common. For example, users would need to be on a browser no more recent than Internet Explorer 6. It is possible, however that a man-in the middle attacker could intercept the protocol negotiation and force a downgrade to SSL 3.0.

In the case of HTTPS connections to the the PaperCut server, TLS is always used if the client permits, however SSL 3.0 will be negotiated if TLS is not supported by the client.

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using the latest PaperCut MF 14.2 build 28942, and also the PaperCut NG & MF 14.3 release (due out mid-Oct-2014). Add the following line to your server.properties file and restart the application server:

server.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1

Take care and test thoroughly if you are running a fleet of MFD devices with PaperCut MF. Whilst some MFDs do not support all TLS versions, most will support TLS v1.0. It is possible that some older MFDs may require SSL 3.0 and the above configuration change will block HTTPS connections from these devices.

More information on Poodle, can be found here: http://security.stackexchangeg.com/questions/70719/ssl3-poodle-vulnerability

Changed lines 63-64 from:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. Please read follow this link for more detail on PaperCut and PCI DSS v3.

to:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. Please follow this link for more detail on PaperCut and PCI DSS v3.

Changed lines 63-64 from:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. Please see here for further details.

to:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. Please read follow this link for more detail on PaperCut and PCI DSS v3.

August 12, 2014, at 05:50 AM by TimB - Added reference to new PCI Compliance page
Changed lines 63-64 from:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. PCI certification is not something PaperCut can see as an application as certification is implementation and site specific. A number of PaperCut customers (such as Universities) are subject to PCI requirements and the PaperCut servers running on these sites are scanned at least once a month.

to:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. Please see here for further details.

April 16, 2014, at 03:52 AM by TimBentley - Corrected statement about OpenSSL commandline tool.
Changed lines 7-8 from:

We do ship a standalone OpenSSL utility with our products. This utility is provided purely as a convenience for end users to generate and combine keys and certificates, and these activities are not impacted by the Heartbleed vulnerability.

to:

We do suggest using a standalone OpenSSL utility in some cases for key and certificate generation. This utility is not impacted by the Heartbleed vulnerability.

April 16, 2014, at 02:16 AM by TimBentley - Grammar fix
Changed lines 5-6 from:

Neither PaperCut MF nor PaperCut NG are affected by the Heartbleed issue, as neither product uses OpenSSL libraries. The PaperCut.com website is also not impacted as it uses a version of OpenSSL that does not contain the vulnerability.

to:

Neither PaperCut MF nor PaperCut NG is affected by the Heartbleed issue, as neither product uses OpenSSL libraries. The PaperCut.com website is also not impacted as it uses a version of OpenSSL that does not contain the vulnerability.

April 16, 2014, at 01:53 AM by TimBentley - Reworded Heartbleed text and moved to top of page.
Added lines 3-9:

Q Is PaperCut affected by the OpenSSL “Heartbleed” vulnerability (otherwise known as CVE-2014–0160)?

Neither PaperCut MF nor PaperCut NG are affected by the Heartbleed issue, as neither product uses OpenSSL libraries. The PaperCut.com website is also not impacted as it uses a version of OpenSSL that does not contain the vulnerability.

We do ship a standalone OpenSSL utility with our products. This utility is provided purely as a convenience for end users to generate and combine keys and certificates, and these activities are not impacted by the Heartbleed vulnerability.

There is more general information about Heartbleed here: http://heartbleed.com/

Deleted lines 25-32:

Q Is PaperCut affected by the OpenSSL? “Heartbleed” vulnerability (otherwise known as CVE-2014–0160)?

Neither PaperCut MF nor PaperCut NG are not affected by the Heartbleed issue, as neither product uses OpenSSL?. The PaperCut.com website is also not impacted as it uses a version of OpenSSL? that does not contain the vulnerability.

Note that we do mention an Open SSL utility in our documentation here, however since this is only being used to combine the Key and the Certificate, this is also not an issue.

There is more general information about this issue and further advice here: http://heartbleed.com/

Changed lines 19-22 from:

Q Is PaperCut affected by the heartbleed bug with Open SSL?

With the recent news of the heartbleed bug (otherwise known as CVE-2014–0160), we can confirm that PaperCut MF and PaperCut NG are not impacted by the heartbleed issue since they do not use Open SSL. PaperCut.com is also not impacted since it uses a version of Open SSL that is not affected.

to:

Q Is PaperCut affected by the OpenSSL? “Heartbleed” vulnerability (otherwise known as CVE-2014–0160)?

Neither PaperCut MF nor PaperCut NG are not affected by the Heartbleed issue, as neither product uses OpenSSL?. The PaperCut.com website is also not impacted as it uses a version of OpenSSL? that does not contain the vulnerability.

Changed lines 19-22 from:

Q Is PaperCut affected by the ‘heartbleed’ bug with Open SSL?

With the recent news of the ‘heartbleed’ bug (otherwise known as CVE-2014–0160), we can confirm that PaperCut MF and PaperCut NG are not impacted by the heartbleed issue since they do not use Open SSL. PaperCut.com is also not impacted since it uses a version of Open SSL that is not affected.

to:

Q Is PaperCut affected by the heartbleed bug with Open SSL?

With the recent news of the heartbleed bug (otherwise known as CVE-2014–0160), we can confirm that PaperCut MF and PaperCut NG are not impacted by the heartbleed issue since they do not use Open SSL. PaperCut.com is also not impacted since it uses a version of Open SSL that is not affected.

April 09, 2014, at 11:42 PM by TimG - Added info about heartbleed bug
Added lines 19-26:

Q Is PaperCut affected by the ‘heartbleed’ bug with Open SSL?

With the recent news of the ‘heartbleed’ bug (otherwise known as CVE-2014–0160), we can confirm that PaperCut MF and PaperCut NG are not impacted by the heartbleed issue since they do not use Open SSL. PaperCut.com is also not impacted since it uses a version of Open SSL that is not affected.

Note that we do mention an Open SSL utility in our documentation here, however since this is only being used to combine the Key and the Certificate, this is also not an issue.

There is more general information about this issue and further advice here: http://heartbleed.com/

Changed lines 64-66 from:

PaperCut makes use of a number of 3rd party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own code base. In some situations we have worked with the 3rd party vendors to address security issues. Another example of 3rd party security is the Ghost Trap project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.

to:

PaperCut makes use of a number of third party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own code base. In some situations we have worked with the 3rd party vendors to address security issues. Another example of active 3rd party security management is the Ghost Trap project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.

Changed lines 64-66 from:

PaperCut makes use of a number of 3rd party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own code base. In some situations we have worked with the 3rd party vendors to address security issues. Another example of 3rd party security is the https://github.com/codedance/GhostTrap? project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.

to:

PaperCut makes use of a number of 3rd party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own code base. In some situations we have worked with the 3rd party vendors to address security issues. Another example of 3rd party security is the Ghost Trap project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.

Changed lines 56-57 from:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly.

to:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. PCI certification is not something PaperCut can see as an application as certification is implementation and site specific. A number of PaperCut customers (such as Universities) are subject to PCI requirements and the PaperCut servers running on these sites are scanned at least once a month.

Changed lines 60-62 from:

No. All database queries in PaperCut are developed using parameterized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.

to:

Our coding standard and design policies are designed to limit this type of attack. All database queries in PaperCut are developed using parametrized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.

Q What about the security of any 3rd party libraries and components used by PaperCut?

PaperCut makes use of a number of 3rd party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own code base. In some situations we have worked with the 3rd party vendors to address security issues. Another example of 3rd party security is the https://github.com/codedance/GhostTrap? project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.

Changed lines 15-16 from:

Q A security analysis tool (e.g. a PCL Compliance Scan) is reporting that PaperCut is configured to accept weak ciphers. How can I address this?

to:

Q A security analysis tool (e.g. a PCI Compliance Scan) is reporting that PaperCut is configured to accept weak ciphers. How can I address this?

Added lines 15-18:

Q A security analysis tool (e.g. a PCL Compliance Scan) is reporting that PaperCut is configured to accept weak ciphers. How can I address this?

This topic is addressed in detail in the knowledge base article: SSL Cipher Configuration - removing weak ciphers.

Changed lines 28-29 from:

We have a number of large University/College sites that have opened up PaperCut’s port to the Internet since 2005. It is recommended to open port 9192 (the SSL port) rather than the pain text port 9191.

to:

We have a number of large University/College sites that have opened up PaperCut’s port to the Internet since 2005. It is recommended to open port 9192 (the SSL port) rather than the plain text port 9191.

Added lines 42-45:

Q Are administrator activities audited?

Yes. As a general rule most major operations such as editing printer details, creating/deleting/modifying user accounts are audited. These audit records appear in the App. Log with a date, details and the user who performed the operation. Having said that, a full level system administrator with read/write file access could in theory edit data files directory to modify the audit trail. Standard limited-rights PaperCut-only administrators access via the web interface can not modify these records.

Added lines 30-33:

Q Is PaperCut and associated executable given minimum permission needed for operation? Is the concept of least privilege upheld?

Yes. On Windows, Mac, Novell and Linux PaperCut has been designed to run under non-privilege accounts. Key security processes on Linux that need to be run with elevated privileges such as those used for user authentication are run “out of process” so this higher privileges rights are isolated at the process level. On Windows, PaperCut’s runs it’s main process as the SYSTEM account with local access only (no network resource access).

Added line 59:
Changed lines 15-18 from:

Q I am considering using Popup Authentication. What should I consider?

Popup-authentication is an auxiliary authentication method and in general should not be used in preference to a protocol-level authentication system. Popup authentication (IP session based authentication) and it’s security considerations are discussed in detail in the KB articleConsiderations When Using Popup Authentication.

to:

Q I am going to use Popup Authentication. What should I consider?

Popup-authentication is an auxiliary authentication method and in general should not be used in preference to a protocol-level authentication system. Popup authentication (IP session based authentication) and it’s security considerations are discussed in detail in the KB article Considerations When Using Popup Authentication.

Changed lines 9-10 from:

Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - an MD5 sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

to:

Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - an MD5 sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

Added lines 15-18:

Q I am considering using Popup Authentication. What should I consider?

Popup-authentication is an auxiliary authentication method and in general should not be used in preference to a protocol-level authentication system. Popup authentication (IP session based authentication) and it’s security considerations are discussed in detail in the KB articleConsiderations When Using Popup Authentication.

March 19, 2012, at 02:46 AM by ian - Clarity edits sourced from whitepaper review.
Changed lines 5-6 from:

User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exception to this rule is the built-in admin user account. This password is stored in a one-way salted hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.

to:

User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts.

The built-in admin password is stored in a one-way salted hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.

Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - an MD5 sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

Changed lines 32-33 from:

PaperCut is in use in tens-of-thousands of organizations and many of them use various security analysis and scanning tools. If the issue raised is marked as “high”, please raise these with our support team. Many of these systems raise issues not pertinent to PaperCut and it’s print management application, however we like to assess all on a case-by-case basis and will let you know if your developers think they require action.

to:

PaperCut is in use in tens-of-thousands of organizations and many of them use various security analysis and scanning tools. If the issue raised is marked as “high”, please raise these with our support team. Many of these systems raise issues not pertinent to PaperCut and it’s print management application, however we like to assess all on a case-by-case basis and will let you know if our developers think they require action.

Changed line 56 from:
to:
June 07, 2011, at 12:14 AM by 202.129.124.120 -
Added lines 38-42:

Q Is PaperCut susceptible to SQL Injection attacks?

No. All database queries in PaperCut are developed using parameterized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.

Changed lines 32-33 from:

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).

to:

Formal security certification is a new and emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).

Changed lines 11-14 from:

Q Does PaperCut use HtmlOnly? secured cookies?

Yes. As of version 11.2 all session ID information stored in copies are marked as HtmlOnly? to help mitigate the risk associated with some XSS attacks.

to:

Q Does PaperCut use HtmlOnly secured cookies?

Yes. As of version 11.2 all session ID information stored in copies are marked as HtmlOnly to help mitigate the risk associated with some XSS attacks.

Changed lines 5-6 from:

User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exception to this rule is the built-in admin user account. This password is stored in a one-way hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.

to:

User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exception to this rule is the built-in admin user account. This password is stored in a one-way salted hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.

Added lines 11-14:

Q Does PaperCut use HtmlOnly? secured cookies?

Yes. As of version 11.2 all session ID information stored in copies are marked as HtmlOnly? to help mitigate the risk associated with some XSS attacks.

Added lines 26-29:

Q I’ve run a security scanner across PaperCut and it’s raised a warning. What does this mean?

PaperCut is in use in tens-of-thousands of organizations and many of them use various security analysis and scanning tools. If the issue raised is marked as “high”, please raise these with our support team. Many of these systems raise issues not pertinent to PaperCut and it’s print management application, however we like to assess all on a case-by-case basis and will let you know if your developers think they require action.

Changed lines 16-17 from:

We have a number of large University/College sites that have done this since 2005 with no report of issues.

to:

We have a number of large University/College sites that have opened up PaperCut’s port to the Internet since 2005. It is recommended to open port 9192 (the SSL port) rather than the pain text port 9191.

Added lines 11-17:

Q Can I open port 9191/9192 to the world?

Best practice suggests not exposing any services to the Internet unless required. Having said that, we have designed PaperCut to be secure and with the intention of our users opening the HTTPS port 9192 to the Internet to facilitate services such as:

  • Remote administration
  • Allowing end-users to login from home to check balances and add credit/quota to their accounts

We have a number of large University/College sites that have done this since 2005 with no report of issues.

Changed lines 17-18 from:

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).

to:

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).

Changed lines 21-22 from:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource?, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly.

to:

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly.

Changed line 31 from:

to:

Added lines 19-22:

Q Is PaperCut PCI Certified?

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource?, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly.

January 04, 2011, at 03:45 AM by 202.129.124.120 -
Changed lines 13-14 from:

Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the admin user’s built-in password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server’s IP address. Valid IP addresses/ranges are defined under the Options section.

to:

Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the built-in admin user’s password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server’s IP address. Valid IP addresses/ranges are defined under the Options section.

Changed lines 17-18 from:

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product iself make certification difficult (e.g. PCI DSS).

to:

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).

Changed lines 17-18 from:

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the install rather than the product make certification difficult (e.g. PCI DSS).

to:

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product iself make certification difficult (e.g. PCI DSS).

Changed lines 15-16 from:

Q Is PaperCut certified by security standard XYZ?

to:

Q Is PaperCut certified under security standard XYZ?

Added lines 15-18:

Q Is PaperCut certified by security standard XYZ?

Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the install rather than the product make certification difficult (e.g. PCI DSS).

Changed lines 11-14 from:

Q How can I restrict access to the XML Web Service APIs?

Two levels of access control is provided for the web services API’s. The first is that any call needs to pass a valid authentication token (usually the admin user’s built-in password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server’s IP address. Valid IP addresses/ranges are defined under the Options section.

to:

Q How can I restrict access to the XML Web Service APIs?

Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the admin user’s built-in password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server’s IP address. Valid IP addresses/ranges are defined under the Options section.

Changed lines 17-18 from:

More information here: Common Security Questions

to:

More information here: Tell me about PaperCut’s security

Changed line 22 from:
to:
Changed lines 22-23 from:
to:
Changed lines 17-18 from:

More information here: ?

to:

More information here: Common Security Questions

Changed line 22 from:

Also see: ?

to:
Changed lines 11-12 from:

Q How can I restrict access to the XML Web Service API’s?

to:

Q How can I restrict access to the XML Web Service APIs?

Added lines 15-18:

Q Tell me about your security development practices?

More information here: ?

Changed lines 21-22 from:

to:

Also see: ?

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on March 14, 2018, at 03:40 AM
Printable View   |   Article History   |   Edit Article