Samba 2.0.7 SWAT vulnerabilities (fwd)

Jeremy Allison jeremy at valinux.com
Sat Nov 4 21:45:04 GMT 2000 

Ok - here is the patch against 2.0.7 that fixes the problem
that SWAT distinguishes between users that exist and those
that don't. This patch has been tested by the original reporter
of the problem and confirmed to be a fix.

Let me know if this is a suitable responce, I'm hoping not
to have to release a 2.0.7a with this fix as it doesn't seem
to be such a critical problem (plus I'm spending all my time
trying to get 2.2.0 out of the door), but if user pressure demands
it we will of course release a new version.

Cheers,

		Jeremy Allison,
		Samba Team.

Index: web/cgi.c
===================================================================
RCS file: /data/cvs/samba/source/web/cgi.c,v
retrieving revision 1.30.2.2.2.6
diff -u -r1.30.2.2.2.6 cgi.c
--- web/cgi.c	2000/04/11 17:36:36	1.30.2.2.2.6
+++ web/cgi.c	2000/11/04 21:14:51
@@ -26,8 +26,6 @@
 /* set the expiry on fixed pages */
 #define EXPIRY_TIME (60*60*24*7)
 
-#define CGI_LOGGING 0
-
 #ifdef DEBUG_COMMENTS
 extern void print_title(char *fmt, ...);
 #endif
@@ -198,7 +196,7 @@
 	}
 
 	fclose(stdin);
-	(void)open("/dev/null", O_RDWR);
+	open("/dev/null", O_RDWR);
 
 	if ((s=query_string) || (s=getenv("QUERY_STRING"))) {
 		for (tok=strtok(s,"&;");tok;tok=strtok(NULL,"&;")) {
@@ -327,7 +325,6 @@
 	d[n] = 0;
 }
 
-
 /***************************************************************************
 handle a http authentication line
   ***************************************************************************/
@@ -336,11 +333,17 @@
 	char *p, *user, *user_pass;
 	struct passwd *pass = NULL;
 	BOOL ret = False;
+	BOOL got_name = False;
+	BOOL tested_pass = False;
+	fstring default_user_lookup;
+	fstring default_user_pass;
+
+	/* Dummy user lookup to take the same time as a valid user. */
+	fstrcpy(default_user_lookup, "zzzz bibble");
+	fstrcpy(default_user_pass, "123456789");
 
 	if (strncasecmp(line,"Basic ", 6)) {
-		cgi_setup_error("401 Bad Authorization", "", 
-				"Only basic authorization is understood");
-		return False;
+		goto err;
 	}
 	line += 6;
 	while (line[0] == ' ') line++;
@@ -350,9 +353,7 @@
 		 * Always give the same error so a cracker
 		 * cannot tell why we fail.
 		 */
-		cgi_setup_error("401 Bad Authorization", "", 
-				"username/password must be supplied");
-		return False;
+		goto err;
 	}
 	*p = 0;
 	user = line;
@@ -367,15 +368,16 @@
 		 * Always give the same error so a cracker
 		 * cannot tell why we fail.
 		 */
-		cgi_setup_error("401 Bad Authorization", "",
-				"username/password must be supplied");
-		return False;
+		got_name = True;
+		goto err;
 	}
 
 	/*
 	 * Validate the password they have given.
 	 */
 
+	tested_pass = True;
+
 	if((ret = pass_check(user, user_pass, strlen(user_pass), NULL, NULL)) == True) {
 
 		/*
@@ -394,7 +396,20 @@
 		C_user = strdup(user);
 	}
 
-	return ret;
+  err:
+
+	/* Always take the same time. */
+	if (!got_name)
+		Get_Pwnam(default_user_lookup,False);
+
+	if (!tested_pass)
+		pass_check(default_user_lookup, default_user_pass,
+					strlen(default_user_pass), NULL, NULL);
+
+	cgi_setup_error("401 Bad Authorization", "", 
+			"username or password incorrect");
+
+	return False;
 }
 
 /***************************************************************************
@@ -451,6 +466,8 @@
 			printf("Content-Type: image/gif\r\n");
 		} else if (strcmp(p,".jpg")==0) {
 			printf("Content-Type: image/jpeg\r\n");
+		} else if (strcmp(p,".txt")==0) {
+			printf("Content-Type: text/plain\r\n");
 		} else {
 			printf("Content-Type: text/html\r\n");
 		}
@@ -476,9 +493,6 @@
 	char line[1024];
 	char *url=NULL;
 	char *p;
-#if CGI_LOGGING
-	FILE *f;
-#endif
 
 	if (chdir(rootdir)) {
 		cgi_setup_error("400 Server Error", "",
@@ -500,19 +514,9 @@
 				"Samba is configured to deny access from this client\n<br>Check your \"hosts allow\" and \"hosts deny\" options in smb.conf ");
 	}
 
-#if CGI_LOGGING
-	f = sys_fopen("/tmp/cgi.log", "a");
-	if (f) fprintf(f,"\n[Date: %s   %s (%s)]\n", 
-		       http_timestring(time(NULL)),
-		       client_name(1), client_addr(1));
-#endif
-
 	/* we are a mini-web server. We need to read the request from stdin
 	   and handle authentication etc */
 	while (fgets(line, sizeof(line)-1, stdin)) {
-#if CGI_LOGGING
-		if (f) fputs(line, f);
-#endif
 		if (line[0] == '\r' || line[0] == '\n') break;
 		if (strncasecmp(line,"GET ", 4)==0) {
 			got_request = True;
@@ -532,9 +536,6 @@
 		}
 		/* ignore all other requests! */
 	}
-#if CGI_LOGGING
-	if (f) fclose(f);
-#endif
 
 	if (auth_required && !authenticated) {
 		cgi_auth_error();
-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

More information about the samba-ntdom mailing list