[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Tue Jul 26 13:18:25 MDT 2011
The branch, v3-6-test has been updated
via 589bc35 s3 swat: Create random nonce in CGI mode
via fb0d393 s3 swat: Add time component to XSRF token
via 3b13840 s3 swat: Add XSRF protection to printer page
via 395503b s3 swat: Add XSRF protection to password page
via 869590c s3 swat: Add XSRF protection to shares page
via dc3aa10 s3 swat: Add XSRF protection to globals page
via e33970f s3 swat: Add XSRF protection to wizard page
via a887d84 s3 swat: Add XSRF protection to wizard_params page
via bb9bb43 s3 swat: Add XSRF protection to viewconfig page
via d240094 s3 swat: Add XSRF protection to status page
via 5e32110 s3 swat: Add support for anti-XSRF token
via 4592956 s3 swat: Allow getting the user's HTTP auth password
via 43cf676 s3-swat: Fix typo.
via d88744f s3 swat: Fix possible XSS attack (bug #8289)
from d7242cb release-scripts/create-tarball: always create a tag in form of samba-${version}
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 589bc35590aebfdd20fe786c08005bb43ef47d94
Author: Kai Blin <kai at samba.org>
Date: Tue Jul 12 08:08:24 2011 +0200
s3 swat: Create random nonce in CGI mode
In CGI mode, we don't get access to the user's password, which would
reduce the hash used so far to parameters an attacker can easily guess.
To work around this, read the nonce from secrets.tdb or generate one if
it's not there.
Also populate the C_user field so we can use that for token creation.
Signed-off-by: Kai Blin <kai at samba.org>
commit fb0d393a1972c28ecd6e49959c8c5b7900e1b574
Author: Kai Blin <kai at samba.org>
Date: Sat Jul 9 09:52:07 2011 +0200
s3 swat: Add time component to XSRF token
Signed-off-by: Kai Blin <kai at samba.org>
commit 3b138403ea157f1c6b8dfc40016f293831765948
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 15:06:13 2011 +0200
s3 swat: Add XSRF protection to printer page
Signed-off-by: Kai Blin <kai at samba.org>
commit 395503b9f51445d9ca493c2fc7e6022ee75cb743
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 15:05:38 2011 +0200
s3 swat: Add XSRF protection to password page
Signed-off-by: Kai Blin <kai at samba.org>
commit 869590cc3a0c09e11f77277af1d3b7334b718ce0
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 15:04:48 2011 +0200
s3 swat: Add XSRF protection to shares page
Signed-off-by: Kai Blin <kai at samba.org>
commit dc3aa10bbc5936aebab88db2ea34b46648839745
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 15:04:12 2011 +0200
s3 swat: Add XSRF protection to globals page
Signed-off-by: Kai Blin <kai at samba.org>
commit e33970f1c60451a063bb2eeb64f9515c64722508
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 15:03:44 2011 +0200
s3 swat: Add XSRF protection to wizard page
Signed-off-by: Kai Blin <kai at samba.org>
commit a887d8446bc74b255682a4047cb5616fe236bcaf
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 15:03:15 2011 +0200
s3 swat: Add XSRF protection to wizard_params page
Signed-off-by: Kai Blin <kai at samba.org>
commit bb9bb437fc3685879f5b34c444d58c4a564f148d
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 15:02:53 2011 +0200
s3 swat: Add XSRF protection to viewconfig page
Signed-off-by: Kai Blin <kai at samba.org>
commit d240094fbe7b581a6c97f506fa17747e21180598
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 12:58:53 2011 +0200
s3 swat: Add XSRF protection to status page
Signed-off-by: Kai Blin <kai at samba.org>
commit 5e32110742a310aff6946acd34b0dca3a3fc8130
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 12:57:43 2011 +0200
s3 swat: Add support for anti-XSRF token
Signed-off-by: Kai Blin <kai at samba.org>
commit 4592956a35d700aaf4ec2be7fc183f42fbe14fba
Author: Kai Blin <kai at samba.org>
Date: Fri Jul 8 12:56:21 2011 +0200
s3 swat: Allow getting the user's HTTP auth password
Signed-off-by: Kai Blin <kai at samba.org>
commit 43cf67654ebcfd3f0a8298af7f6cf15cd5f2d981
Author: Karolin Seeger <kseeger at samba.org>
Date: Sun Jul 24 21:09:38 2011 +0200
s3-swat: Fix typo.
Thanks to Simo for reporting!
Karolin
(cherry picked from commit 9f73c1990a19daa899fa5345530a867e69a5be94)
(cherry picked from commit bcb052c29212954a3ed10c9f095c51e4e0a96af5)
commit d88744f460a2a65d4e0cfb6c944f90f09e15d3b4
Author: Kai Blin <kai at samba.org>
Date: Thu Jul 7 10:03:33 2011 +0200
s3 swat: Fix possible XSS attack (bug #8289)
Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
against SWAT, the Samba Web Administration Tool. The attack uses reflection to
insert arbitrary content into the "change password" page.
This patch fixes the reflection issue by not printing user-specified content on
the website anymore.
Signed-off-by: Kai Blin <kai at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/web/cgi.c | 29 ++++++++-
source3/web/statuspage.c | 7 ++
source3/web/swat.c | 173 ++++++++++++++++++++++++++++++++++++++--------
source3/web/swat_proto.h | 6 ++
4 files changed, 184 insertions(+), 31 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index e10fd43..ef1b856 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -23,6 +23,7 @@
#include "web/swat_proto.h"
#include "intl/lang_tdb.h"
#include "auth.h"
+#include "secrets.h"
#define MAX_VARIABLES 10000
@@ -46,6 +47,7 @@ static char *query_string;
static const char *baseurl;
static char *pathinfo;
static char *C_user;
+static char *C_pass;
static bool inetd_server;
static bool got_request;
@@ -324,7 +326,24 @@ static void cgi_web_auth(void)
exit(0);
}
- setuid(0);
+ C_user = SMB_STRDUP(user);
+
+ if (!setuid(0)) {
+ C_pass = secrets_fetch_generic("root", "SWAT");
+ if (C_pass == NULL) {
+ char *tmp_pass = NULL;
+ tmp_pass = generate_random_password(talloc_tos(),
+ 16, 16);
+ if (tmp_pass == NULL) {
+ printf("%sFailed to create random nonce for "
+ "SWAT session\n<br>%s\n", head, tail);
+ exit(0);
+ }
+ secrets_store_generic("root", "SWAT", tmp_pass);
+ C_pass = SMB_STRDUP(tmp_pass);
+ TALLOC_FREE(tmp_pass);
+ }
+ }
setuid(pwd->pw_uid);
if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
printf("%sFailed to become user %s - uid=%d/%d<br>%s\n",
@@ -396,6 +415,7 @@ static bool cgi_handle_authorization(char *line)
/* Save the users name */
C_user = SMB_STRDUP(user);
+ C_pass = SMB_STRDUP(user_pass);
TALLOC_FREE(pass);
return True;
}
@@ -430,6 +450,13 @@ char *cgi_user_name(void)
return(C_user);
}
+/***************************************************************************
+return a ptr to the users password
+ ***************************************************************************/
+char *cgi_user_pass(void)
+{
+ return(C_pass);
+}
/***************************************************************************
handle a file download
diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c
index 02f5ca7..5314f33 100644
--- a/source3/web/statuspage.c
+++ b/source3/web/statuspage.c
@@ -249,9 +249,14 @@ void status_page(void)
int nr_running=0;
bool waitup = False;
TALLOC_CTX *ctx = talloc_stackframe();
+ const char form_name[] = "status";
smbd_pid = pid_to_procid(pidfile_pid("smbd"));
+ if (!verify_xsrf_token(form_name)) {
+ goto output_page;
+ }
+
if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
stop_smbd();
start_smbd();
@@ -328,9 +333,11 @@ void status_page(void)
initPid2Machine ();
+output_page:
printf("<H2>%s</H2>\n", _("Server Status"));
printf("<FORM method=post>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
if (!autorefresh) {
printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 38f6475..8b6ae31 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -35,6 +35,7 @@
#include "printing/load.h"
#include "passdb.h"
#include "intl/lang_tdb.h"
+#include "../lib/crypto/md5.h"
static int demo_mode = False;
static int passwd_only = False;
@@ -56,6 +57,9 @@ static int iNumNonAutoPrintServices = 0;
#define DISABLE_USER_FLAG "disable_user_flag"
#define ENABLE_USER_FLAG "enable_user_flag"
#define RHOST "remote_host"
+#define XSRF_TOKEN "xsrf"
+#define XSRF_TIME "xsrf_time"
+#define XSRF_TIMEOUT 300
#define _(x) lang_msg_rotate(talloc_tos(),x)
@@ -144,6 +148,76 @@ static char *make_parm_name(const char *label)
return parmname;
}
+void get_xsrf_token(const char *username, const char *pass,
+ const char *formname, time_t xsrf_time, char token_str[33])
+{
+ struct MD5Context md5_ctx;
+ uint8_t token[16];
+ int i;
+
+ token_str[0] = '\0';
+ ZERO_STRUCT(md5_ctx);
+ MD5Init(&md5_ctx);
+
+ MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
+ MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t));
+ if (username != NULL) {
+ MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
+ }
+ if (pass != NULL) {
+ MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
+ }
+
+ MD5Final(token, &md5_ctx);
+
+ for(i = 0; i < sizeof(token); i++) {
+ char tmp[3];
+
+ snprintf(tmp, sizeof(tmp), "%02x", token[i]);
+ strncat(token_str, tmp, sizeof(tmp));
+ }
+}
+
+void print_xsrf_token(const char *username, const char *pass,
+ const char *formname)
+{
+ char token[33];
+ time_t xsrf_time = time(NULL);
+
+ get_xsrf_token(username, pass, formname, xsrf_time, token);
+ printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
+ XSRF_TOKEN, token);
+ printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n",
+ XSRF_TIME, (long long int)xsrf_time);
+}
+
+bool verify_xsrf_token(const char *formname)
+{
+ char expected[33];
+ const char *username = cgi_user_name();
+ const char *pass = cgi_user_pass();
+ const char *token = cgi_variable_nonull(XSRF_TOKEN);
+ const char *time_str = cgi_variable_nonull(XSRF_TIME);
+ time_t xsrf_time = 0;
+ time_t now = time(NULL);
+
+ if (sizeof(time_t) == sizeof(int)) {
+ xsrf_time = atoi(time_str);
+ } else if (sizeof(time_t) == sizeof(long)) {
+ xsrf_time = atol(time_str);
+ } else if (sizeof(time_t) == sizeof(long long)) {
+ xsrf_time = atoll(time_str);
+ }
+
+ if (abs(now - xsrf_time) > XSRF_TIMEOUT) {
+ return false;
+ }
+
+ get_xsrf_token(username, pass, formname, xsrf_time, expected);
+ return (strncmp(expected, token, sizeof(expected)) == 0);
+}
+
+
/****************************************************************************
include a lump of html in a page
****************************************************************************/
@@ -620,13 +694,20 @@ static void welcome_page(void)
static void viewconfig_page(void)
{
int full_view=0;
+ const char form_name[] = "viewconfig";
+
+ if (!verify_xsrf_token(form_name)) {
+ goto output_page;
+ }
if (cgi_variable("full_view")) {
full_view = 1;
}
+output_page:
printf("<H2>%s</H2>\n", _("Current Config"));
printf("<form method=post>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
if (full_view) {
printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
@@ -646,18 +727,25 @@ static void viewconfig_page(void)
static void wizard_params_page(void)
{
unsigned int parm_filter = FLAG_WIZARD;
+ const char form_name[] = "wizard_params";
/* Here we first set and commit all the parameters that were selected
in the previous screen. */
printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
+ if (!verify_xsrf_token(form_name)) {
+ goto output_page;
+ }
+
if (cgi_variable("Commit")) {
commit_parameters(GLOBAL_SECTION_SNUM);
save_reload(-1);
}
+output_page:
printf("<form name=\"swatform\" method=post action=wizard_params>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
if (have_write_access) {
printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
@@ -693,6 +781,11 @@ static void wizard_page(void)
int have_home = -1;
int HomeExpo = 0;
int SerType = 0;
+ const char form_name[] = "wizard";
+
+ if (!verify_xsrf_token(form_name)) {
+ goto output_page;
+ }
if (cgi_variable("Rewrite")) {
(void) rewritecfg_file();
@@ -784,9 +877,11 @@ static void wizard_page(void)
role = lp_server_role();
+output_page:
/* Here we go ... */
printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
printf("<form method=post action=wizard>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
if (have_write_access) {
printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
@@ -855,9 +950,14 @@ static void globals_page(void)
{
unsigned int parm_filter = FLAG_BASIC;
int mode = 0;
+ const char form_name[] = "globals";
printf("<H2>%s</H2>\n", _("Global Parameters"));
+ if (!verify_xsrf_token(form_name)) {
+ goto output_page;
+ }
+
if (cgi_variable("Commit")) {
commit_parameters(GLOBAL_SECTION_SNUM);
save_reload(-1);
@@ -870,7 +970,9 @@ static void globals_page(void)
if ( cgi_variable("AdvMode"))
mode = 1;
+output_page:
printf("<form name=\"swatform\" method=post action=globals>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
ViewModeBoxes( mode );
switch ( mode ) {
@@ -910,11 +1012,17 @@ static void shares_page(void)
int mode = 0;
unsigned int parm_filter = FLAG_BASIC;
size_t converted_size;
+ const char form_name[] = "shares";
+
+ printf("<H2>%s</H2>\n", _("Share Parameters"));
+
+ if (!verify_xsrf_token(form_name)) {
+ goto output_page;
+ }
if (share)
snum = lp_servicenumber(share);
- printf("<H2>%s</H2>\n", _("Share Parameters"));
if (cgi_variable("Commit") && snum >= 0) {
commit_parameters(snum);
@@ -940,10 +1048,6 @@ static void shares_page(void)
}
}
- printf("<FORM name=\"swatform\" method=post>\n");
-
- printf("<table>\n");
-
if ( cgi_variable("ViewMode") )
mode = atoi(cgi_variable_nonull("ViewMode"));
if ( cgi_variable("BasicMode"))
@@ -951,6 +1055,12 @@ static void shares_page(void)
if ( cgi_variable("AdvMode"))
mode = 1;
+output_page:
+ printf("<FORM name=\"swatform\" method=post>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ printf("<table>\n");
+
ViewModeBoxes( mode );
switch ( mode ) {
case 0:
@@ -1129,11 +1239,9 @@ static void chg_passwd(void)
if(cgi_variable(CHG_S_PASSWD_FLAG)) {
printf("<p>");
if (rslt == True) {
- printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER));
- printf("\n");
+ printf("%s\n", _(" The passwd has been changed."));
} else {
- printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER));
- printf("\n");
+ printf("%s\n", _(" The passwd has NOT been changed."));
}
}
@@ -1146,20 +1254,15 @@ static void chg_passwd(void)
static void passwd_page(void)
{
const char *new_name = cgi_user_name();
-
- /*
- * After the first time through here be nice. If the user
- * changed the User box text to another users name, remember it.
- */
- if (cgi_variable(SWAT_USER)) {
- new_name = cgi_variable_nonull(SWAT_USER);
- }
+ const char passwd_form[] = "passwd";
+ const char rpasswd_form[] = "rpasswd";
if (!new_name) new_name = "";
printf("<H2>%s</H2>\n", _("Server Password Management"));
printf("<FORM name=\"swatform\" method=post>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form);
printf("<table>\n");
@@ -1199,14 +1302,16 @@ static void passwd_page(void)
* Do some work if change, add, disable or enable was
* requested. It could be this is the first time through this
* code, so there isn't anything to do. */
- if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
- (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) {
+ if (verify_xsrf_token(passwd_form) &&
+ ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
+ (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) {
chg_passwd();
}
printf("<H2>%s</H2>\n", _("Client/Server Password Management"));
printf("<FORM name=\"swatform\" method=post>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form);
printf("<table>\n");
@@ -1239,7 +1344,7 @@ static void passwd_page(void)
* password somewhere other than the server. It could be this
* is the first time through this code, so there isn't
* anything to do. */
- if (cgi_variable(CHG_R_PASSWD_FLAG)) {
+ if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) {
chg_passwd();
}
@@ -1256,18 +1361,15 @@ static void printers_page(void)
int i;
int mode = 0;
unsigned int parm_filter = FLAG_BASIC;
+ const char form_name[] = "printers";
+
+ if (!verify_xsrf_token(form_name)) {
+ goto output_page;
+ }
if (share)
snum = lp_servicenumber(share);
- printf("<H2>%s</H2>\n", _("Printer Parameters"));
-
- printf("<H3>%s</H3>\n", _("Important Note:"));
- printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
- printf("%s",_("are autoloaded printers from "));
- printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
- printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
-
if (cgi_variable("Commit") && snum >= 0) {
commit_parameters(snum);
if (snum >= iNumNonAutoPrintServices)
@@ -1296,8 +1398,6 @@ static void printers_page(void)
}
}
- printf("<FORM name=\"swatform\" method=post>\n");
-
if ( cgi_variable("ViewMode") )
mode = atoi(cgi_variable_nonull("ViewMode"));
if ( cgi_variable("BasicMode"))
@@ -1305,6 +1405,19 @@ static void printers_page(void)
if ( cgi_variable("AdvMode"))
mode = 1;
+output_page:
+ printf("<H2>%s</H2>\n", _("Printer Parameters"));
+
+ printf("<H3>%s</H3>\n", _("Important Note:"));
+ printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
+ printf("%s",_("are autoloaded printers from "));
+ printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
+ printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
+
+
+ printf("<FORM name=\"swatform\" method=post>\n");
+ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
ViewModeBoxes( mode );
switch ( mode ) {
case 0:
diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
index 0f84e4f..424a3af 100644
--- a/source3/web/swat_proto.h
+++ b/source3/web/swat_proto.h
@@ -31,6 +31,7 @@ const char *cgi_variable(const char *name);
const char *cgi_variable_nonull(const char *name);
bool am_root(void);
char *cgi_user_name(void);
+char *cgi_user_pass(void);
void cgi_setup(const char *rootdir, int auth_required);
const char *cgi_baseurl(void);
const char *cgi_pathinfo(void);
@@ -66,5 +67,10 @@ void status_page(void);
/* The following definitions come from web/swat.c */
const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
+void get_xsrf_token(const char *username, const char *pass,
+ const char *formname, time_t xsrf_time, char token_str[33]);
+void print_xsrf_token(const char *username, const char *pass,
+ const char *formname);
+bool verify_xsrf_token(const char *formname);
#endif /* _SWAT_PROTO_H_ */
--
Samba Shared Repository
More information about the samba-cvs
mailing list