Common security questions

Find the answers to PaperCut product security questions, as well as information about specific security vulnerabilities.

General security questions

Need to make sure you receive critical security notifications? Sign up for email alerts here.

Absolutely! We have pooled our knowledge and created a comprehensive Print Security whitepaper that will help you not only make the most of PaperCut’s security features but also help you secure your entire print infrastructure. Take a look at: PaperCut Security white paper .

We’re glad you asked. Our article, Secure your PaperCut NG/MF server , collects all our best advice for security-conscious customers about locking down your PaperCut application server.

User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts.

The built-in admin password is stored in a one-way salted hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.

Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - a BCrypt sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

In addition, PaperCut also encrypts all user’s Personal Identification Numbers used to secure card numbers.

Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system, and the PaperCut software does not collect passwords over the network to any remote server, as this is handled by AD itself.

PaperCut does not store any user passwords and instead interrogates the directory service in real-time, as caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts which are covered above.

Client-server communication of sensitive data is conducted over a TLS link - this is an equivalent level of encryption to that used by a web browser connected on an https:// website.

Popup-authentication is another means that PaperCut can use to authenticate users at the time of printing using the PaperCut User Client. This topic and it’s security considerations are discussed in detail in the article Popup authentication .

Yes. As of PaperCut NG and PaperCut MF 17.1, all session cookies generated for access attempts over secure connections are marked as both Secure and HtmlOnly in order to help mitigate a number of potential risks, such as certain styles of XSS attack, as well as the interception of secure session data improperly transmitted in cleartext.

Best practice suggests not exposing any services to the Internet unless required. Having said that, we have designed PaperCut to be secure and with the intention of our users opening the HTTPS port 9192 to the Internet to facilitate services such as:

• Remote administration
• Allowing end-users to login from home to check balances and add credit/quota to their accounts

We have a number of large University/College sites that have opened up PaperCut’s port to the Internet since 2005. It is recommended to open port 9192 (the TLS port) rather than the plain text port 9191.

Yes. On Windows, Mac, Novell and Linux PaperCut have been designed to run under non-privileged accounts. Key security processes on Linux that need to be run with elevated privileges such as those used for user authentication are run “out of process” so these higher privileges rights are isolated at the process level. On Windows, PaperCut’s runs its main process as the SYSTEM account with local access only (no network resource access).

Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the built-in admin user’s password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default, PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server’s IP address. Valid IP addresses/ranges are defined under the Options section.

Yes. As a general rule most major operations such as editing printer details, creating/deleting/modifying user accounts are audited. These audit records appear in the App. Log with a date, details and the user who performed the operation. Having said that, a full level system administrator with read/write file access could in theory edit the data files directory to modify the audit trail. Standard limited-rights PaperCut-only administrators access via the web interface can not modify these records.

PaperCut makes use of a number of third party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own codebase. In some situations, we have worked with the 3rd party vendors to address security issues. Another example of active 3rd party security management is the Ghost Trap project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.

Our document watermarking functionality can be easily leveraged to inject a digital signature into every printed page. This signature is generated by combining key print job attributes (e.g. time of print, username, printer name, document name) with a secret key, using a cryptographic algorithm to create an encoded string that is unique for each document. Both the MD5 and SHA1 message digest algorithms are available to transform these elements into unique signature strings, allowing the degree of cryptographic security to be configured. The resulting signatures can be used to trace printed pages back to their users of origin, allowing you to follow-up undesired or unlawful transmission of classified content.

As of version 17.1 of PaperCut NG and PaperCut MF, watermarks can be applied across the full page, such that signatures are visible over the entire printed document. This renders the removal of a signature from the printed page impossible.

In the past, contact to PaperCut servers to check for updates, send error reports on user commands, or download news content was performed over regular HTTP. From version 17.2.3 forwards of PaperCut NG and PaperCut MF, all outbound contact is made using HTTPS, minimizing the risk of these communications being intercepted.

Prior to version 17.3 of PaperCut NG and PaperCut MF, HTML error pages would provide some technical context for the error, in order to aid diagnosis of the cause. Amongst the context provided was basic system information, which for highly secure environments could be considered to be unnecessary exposure. From 17.3 onwards, PaperCut NG and PaperCut MF will default to only outputting stack trace data when generating these error pages, eliding any information which could be considered identifying.

To establish support for Office documents, we recommend that Web Print be configured in “Sandbox Mode”. This partitions the running of the Web Print service off to one or more Web Print Servers; machines distinct from the key components of the PaperCut MF or PaperCut NG solution architecture, which are minimally configured and wholly dedicated to their task. By doing so, the opening and rendering of Office documents is contained to only these standalone servers, and if one of these machines is then compromised, only transient document data is potentially exposed. The afflicted Web Print Server can then be torn down and restored from a basic system image, removing the threat in the process.

Furthermore, Web Print Servers running version 17.4.2 or later of PaperCut MF and PaperCut NG can disallow the execution of any embedded document macros. This is controlled with the web-print.disable-macros configuration key, accessible via the Config Editor. This should minimise the possibility of document-borne attacks impacting your Web Print setup.

More information here: Tell me about PaperCut’s security

Security standards and frameworks

PaperCut is developed in line with leading security guidelines and practices. For an overview have a look at our article Tell me about PaperCut’s security .

PaperCut is also ISO/IEC 27001-2022 certified (commonly referred to as ISO 27001 certification). To view our certification, visit our Trust Portal.

With the well-justified increased industry focus on security PaperCut Software is continuously working to formalize our security practices:

• Our Security Response Team (SRT) led by our Head of Development provides personalized and timely responses by our security specialists to any reported issues.
• We work with external security consultants to audit our security policies and practices in general, as well as the specific technologies and architectures used to protect customer information in PaperCut NG and MF.
• PaperCut customers and prospects are regularly PEN testing and auditing our software and we give high priority to fixing any vulnerabilities found.

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself.

PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal , CyberSource , Authorize.Net , etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified.

When a user makes a payment they are directed through to the provider’s “hosted pay page” and credit card details are entered on their website directly.

Please follow this link for more detail on PaperCut and PCI DSS v3.

The EU General Data Protection Regulation (GDPR) mandates that users have a Right to Access all stored data associated with them, as well as the Right to be Forgotten; to have all identifiable data related to them which is stored by an organisation permanently removed upon request. This is a significant seachange, reflecting the ever-increasing emphasis placed on securing and protecting personal data within information systems.

As of version 17.2, we have implemented methods that empower an organisation to meet these requirements with respect to their print system. Understanding that total compliance with GDPR is of critical importance to organisations operating within the EU, we’ve also sought to ease the burden of transition by authoring a GDPR Compliance Guide to help you along the way!

For further information, check out our article on GDPR .

PaperCut is in use in tens of thousands of organizations and many of them use various security analysis and scanning tools. A security analysis tool like Nessus might identify issues, particularly with older PaperCut servers that have not yet been upgraded.

The solution might entail upgrading PaperCut NG/MF, configuring PaperCut NG/MF to use a signed certificate, or changing some other setting. Other times the warning may be for something else running on the server, rather than PaperCut NG or MF.

Information about hardening your PaperCut NG/MF server can be found in our article Secure your PaperCut NG/MF server .

Of course the security landscape is a frequently changing one. If you’ve already read through the above article and still have any doubts or concerns please visit our Support portal to get in contact.

Our coding standard and design policies are designed to limit this type of attack. All database queries in PaperCut are developed using parameterized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.

A number of preventative measures against common CSRF attack vectors are implemented in PaperCut NG and PaperCut MF, seeking to ensure that an individual cannot modify HTTP request content in such a way that grants elevated access to system information or configuration. For example, as of version 17.3, header-based checks are enabled by default, validating the request origin by cross-checking the supplied origin and destination headers, and denying requests with unknown origin.

More on security at PaperCut

• Tell me about PaperCut’s security
• Security Settings for PaperCut’s Web Server
• PaperCut Security white paper
• General Data Protection Regulation (GDPR)
• Security notifications sign-up page
• Security vulnerability log