[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Wed Jan 30 03:40:52 MST 2013
The branch, v3-6-test has been updated
via 2d8c6de WHATSNEW: Start release notes for Samba 3.6.13.
via a9f770e VERSION: Bump version number up to 3.6.13.
via a36370e swat: Use additional nonce on XSRF protection
via 4eb9c2d swat: Use X-Frame-Options header to avoid clickjacking
via 02396c3 WHATSNEW: Prepare release notes for Samba 3.6.12.
from 022e1d8 Fix bug #9585 - Samba 3.6.x not correctly signing any but the last response in a compound request/response
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 2d8c6de869b88d3c8c9313290ee285c419fec58a
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Jan 30 11:42:53 2013 +0100
WHATSNEW: Start release notes for Samba 3.6.13.
Karolin
commit a9f770e65876fbcfd3967a893dbd1f0770d2789a
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Jan 30 11:42:18 2013 +0100
VERSION: Bump version number up to 3.6.13.
Karolin
commit a36370e6d511da8d9e77c845778cce7fa627b994
Author: Kai Blin <kai at samba.org>
Date: Mon Jan 28 21:41:07 2013 +0100
swat: Use additional nonce on XSRF protection
If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.
Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.
Signed-off-by: Kai Blin <kai at samba.org>
Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.
(cherry picked from commit 91f4275873ebeda8f57684f09df67162ae80515a)
commit 4eb9c2d365e9238566f1155e1db440b7c92da4bb
Author: Kai Blin <kai at samba.org>
Date: Fri Jan 18 23:11:07 2013 +0100
swat: Use X-Frame-Options header to avoid clickjacking
Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.
Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.
Signed-off-by: Kai Blin <kai at samba.org>
Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
(cherry picked from commit 71225948a249f079120282740fcc39fd6faa880e)
commit 02396c30db14db3c5177431e48d81202467b9e60
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Jan 29 09:45:06 2013 +0100
WHATSNEW: Prepare release notes for Samba 3.6.12.
This is a Security Release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).
Karolin
(cherry picked from commit 184d5ab26a553ca7ef3f529e90e4dd8c9aded75d)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 79 ++++++++++++++++++++++++++++++++++++++++++---
source3/VERSION | 2 +-
source3/web/cgi.c | 40 +++++++++++++++--------
source3/web/swat.c | 5 ++-
source3/web/swat_proto.h | 1 +
5 files changed, 105 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2f414bc..d5b94c3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,19 +1,20 @@
==============================
- Release Notes for Samba 3.6.12
- March 18, 2013
+ Release Notes for Samba 3.6.13
+ March 18, 2013
==============================
This is is the latest stable release of Samba 3.6.
-Major enhancements in Samba 3.6.12 include:
+Major enhancements in Samba 3.6.13 include:
-o
+o
-Changes since 3.6.11:
+
+Changes since 3.6.12:
--------------------
-o Jeremy Allison <jra at samba.org>
+o
######################################################################
@@ -39,6 +40,72 @@ Release notes for older releases follow:
----------------------------------------
==============================
+ Release Notes for Samba 3.6.12
+ January 30, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o CVE-2013-0213:
+ All current released versions of Samba are vulnerable to clickjacking in the
+ Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
+ a malicious web page via a frame or iframe and then overlaid by other content,
+ an attacker could trick an administrator to potentially change Samba settings.
+
+ In order to be vulnerable, SWAT must have been installed and enabled
+ either as a standalone server launched from inetd or xinetd, or as a
+ CGI plugin to Apache. If SWAT has not been installed or enabled (which
+ is the default install state for Samba) this advisory can be ignored.
+
+o CVE-2013-0214:
+ All current released versions of Samba are vulnerable to a cross-site
+ request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+ user's password and then tricking a user who is authenticated with SWAT into
+ clicking a manipulated URL on a different web page, it is possible to manipulate
+ SWAT.
+
+ In order to be vulnerable, the attacker needs to know the victim's password.
+ Additionally SWAT must have been installed and enabled either as a standalone
+ server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
+ not been installed or enabled (which is the default install state for Samba)
+ this advisory can be ignored.
+
+
+Changes since 3.6.11:
+--------------------
+
+o Kai Blin <kai at samba.org>
+ * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+ * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
Release Notes for Samba 3.6.11
January 21, 2013
==============================
diff --git a/source3/VERSION b/source3/VERSION
index 293a6fb..60503d9 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index ef1b856..861bc84 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -48,6 +48,7 @@ static const char *baseurl;
static char *pathinfo;
static char *C_user;
static char *C_pass;
+static char *C_nonce;
static bool inetd_server;
static bool got_request;
@@ -329,20 +330,7 @@ static void cgi_web_auth(void)
C_user = SMB_STRDUP(user);
if (!setuid(0)) {
- C_pass = secrets_fetch_generic("root", "SWAT");
- if (C_pass == NULL) {
- char *tmp_pass = NULL;
- tmp_pass = generate_random_password(talloc_tos(),
- 16, 16);
- if (tmp_pass == NULL) {
- printf("%sFailed to create random nonce for "
- "SWAT session\n<br>%s\n", head, tail);
- exit(0);
- }
- secrets_store_generic("root", "SWAT", tmp_pass);
- C_pass = SMB_STRDUP(tmp_pass);
- TALLOC_FREE(tmp_pass);
- }
+ C_pass = SMB_STRDUP(cgi_nonce());
}
setuid(pwd->pw_uid);
if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
@@ -459,6 +447,30 @@ char *cgi_user_pass(void)
}
/***************************************************************************
+return a ptr to the nonce
+ ***************************************************************************/
+char *cgi_nonce(void)
+{
+ const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
+ const char *tail = "</BODY></HTML>\r\n";
+ C_nonce = secrets_fetch_generic("root", "SWAT");
+ if (C_nonce == NULL) {
+ char *tmp_pass = NULL;
+ tmp_pass = generate_random_password(talloc_tos(),
+ 16, 16);
+ if (tmp_pass == NULL) {
+ printf("%sFailed to create random nonce for "
+ "SWAT session\n<br>%s\n", head, tail);
+ exit(0);
+ }
+ secrets_store_generic("root", "SWAT", tmp_pass);
+ C_nonce = SMB_STRDUP(tmp_pass);
+ TALLOC_FREE(tmp_pass);
+ }
+ return(C_nonce);
+}
+
+/***************************************************************************
handle a file download
***************************************************************************/
static void cgi_download(char *file)
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 1f6eb6c..f8933d2 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -154,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass,
MD5_CTX md5_ctx;
uint8_t token[16];
int i;
+ char *nonce = cgi_nonce();
token_str[0] = '\0';
ZERO_STRUCT(md5_ctx);
@@ -167,6 +168,7 @@ void get_xsrf_token(const char *username, const char *pass,
if (pass != NULL) {
MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
}
+ MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
MD5Final(token, &md5_ctx);
@@ -266,7 +268,8 @@ static void print_header(void)
if (!cgi_waspost()) {
printf("Expires: 0\r\n");
}
- printf("Content-type: text/html\r\n\r\n");
+ printf("Content-type: text/html\r\n");
+ printf("X-Frame-Options: DENY\r\n\r\n");
if (!include_html("include/header.html")) {
printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
index 424a3af..fe51b1f 100644
--- a/source3/web/swat_proto.h
+++ b/source3/web/swat_proto.h
@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name);
bool am_root(void);
char *cgi_user_name(void);
char *cgi_user_pass(void);
+char *cgi_nonce(void);
void cgi_setup(const char *rootdir, int auth_required);
const char *cgi_baseurl(void);
const char *cgi_pathinfo(void);
--
Samba Shared Repository
More information about the samba-cvs
mailing list