Changeset 617
- Timestamp:
- Aug 2, 2011, 10:40:58 AM (14 years ago)
- Location:
- trunk/server
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/server/WHATSNEW.txt
r599 r617 1 ============================== 2 Release Notes for Samba 3.5.10 3 July 26, 2011 4 ============================== 5 6 7 This is a security release in order to address 8 CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and 9 CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT). 10 11 12 o CVE-2011-2522: 13 The Samba Web Administration Tool (SWAT) in Samba versions 14 3.0.x to 3.5.9 are affected by a cross-site request forgery. 15 16 17 o CVE-2011-2694: 18 The Samba Web Administration Tool (SWAT) in Samba versions 19 3.0.x to 3.5.9 are affected by a cross-site scripting 20 vulnerability. 21 22 Please note that SWAT must be enabled in order for these 23 vulnerabilities to be exploitable. By default, SWAT 24 is *not* enabled on a Samba install. 25 26 27 Changes since 3.5.9: 28 -------------------- 29 30 31 o Kai Blin <kai@samba.org> 32 * BUG 8289: SWAT contains a cross-site scripting vulnerability. 33 * BUG 8290: CSRF vulnerability in SWAT. 34 35 36 ###################################################################### 37 Reporting bugs & Development Discussion 38 ####################################### 39 40 Please discuss this release on the samba-technical mailing list or by 41 joining the #samba-technical IRC channel on irc.freenode.net. 42 43 If you do report problems then please try to send high quality 44 feedback. If you don't provide vital information to help us track down 45 the problem then you will probably be ignored. All bug reports should 46 be filed under the Samba 3.5 product in the project's Bugzilla 47 database (https://bugzilla.samba.org/). 48 49 50 ====================================================================== 51 == Our Code, Our Bugs, Our Responsibility. 52 == The Samba Team 53 ====================================================================== 54 55 56 Release notes for older releases follow: 57 ---------------------------------------- 58 1 59 ============================= 2 60 Release Notes for Samba 3.5.9 … … 143 201 144 202 145 Release notes for older releases follow: 146 ---------------------------------------- 203 ---------------------------------------------------------------------- 204 147 205 148 206 ============================= -
trunk/server/packaging/RHEL-CTDB/samba.spec
r599 r617 6 6 Packager: Samba Team <samba@samba.org> 7 7 Name: samba 8 Version: 3.5. 98 Version: 3.5.10 9 9 Release: 1GITHASH 10 10 Epoch: 0 -
trunk/server/packaging/RHEL/makerpms.sh
r599 r617 21 21 USERID=`id -u` 22 22 GRPID=`id -g` 23 VERSION='3.5. 9'23 VERSION='3.5.10' 24 24 REVISION='' 25 25 SPECFILE="samba.spec" -
trunk/server/packaging/RHEL/samba.spec
r599 r617 6 6 Packager: Samba Team <samba@samba.org> 7 7 Name: samba 8 Version: 3.5. 98 Version: 3.5.10 9 9 Release: 1 10 10 Epoch: 0 -
trunk/server/source3/VERSION
r599 r617 26 26 SAMBA_VERSION_MAJOR=3 27 27 SAMBA_VERSION_MINOR=5 28 SAMBA_VERSION_RELEASE= 928 SAMBA_VERSION_RELEASE=10 29 29 30 30 ######################################################## -
trunk/server/source3/web/cgi.c
r596 r617 20 20 #include "includes.h" 21 21 #include "web/swat_proto.h" 22 #include "secrets.h" 23 #include "../lib/util/util.h" 22 24 23 25 #define MAX_VARIABLES 10000 … … 43 45 static char *pathinfo; 44 46 static char *C_user; 47 static char *C_pass; 45 48 static bool inetd_server; 46 49 static bool got_request; … … 323 326 } 324 327 325 setuid(0); 328 C_user = SMB_STRDUP(user); 329 330 if (!setuid(0)) { 331 C_pass = secrets_fetch_generic("root", "SWAT"); 332 if (C_pass == NULL) { 333 char *tmp_pass = NULL; 334 tmp_pass = generate_random_str(talloc_tos(), 16); 335 if (tmp_pass == NULL) { 336 printf("%sFailed to create random nonce for " 337 "SWAT session\n<br>%s\n", head, tail); 338 exit(0); 339 } 340 secrets_store_generic("root", "SWAT", tmp_pass); 341 C_pass = SMB_STRDUP(tmp_pass); 342 TALLOC_FREE(tmp_pass); 343 } 344 } 326 345 setuid(pwd->pw_uid); 327 346 if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) { … … 392 411 /* Save the users name */ 393 412 C_user = SMB_STRDUP(user); 413 C_pass = SMB_STRDUP(user_pass); 394 414 TALLOC_FREE(pass); 395 415 return True; … … 426 446 } 427 447 448 /*************************************************************************** 449 return a ptr to the users password 450 ***************************************************************************/ 451 char *cgi_user_pass(void) 452 { 453 return(C_pass); 454 } 428 455 429 456 /*************************************************************************** -
trunk/server/source3/web/statuspage.c
r414 r617 248 248 bool waitup = False; 249 249 TALLOC_CTX *ctx = talloc_stackframe(); 250 const char form_name[] = "status"; 250 251 251 252 smbd_pid = pid_to_procid(pidfile_pid("smbd")); 253 254 if (!verify_xsrf_token(form_name)) { 255 goto output_page; 256 } 252 257 253 258 if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) { … … 327 332 initPid2Machine (); 328 333 334 output_page: 329 335 printf("<H2>%s</H2>\n", _("Server Status")); 330 336 331 337 printf("<FORM method=post>\n"); 338 print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); 332 339 333 340 if (!autorefresh) { -
trunk/server/source3/web/swat.c
r599 r617 30 30 #include "includes.h" 31 31 #include "web/swat_proto.h" 32 #include "../lib/crypto/md5.h" 32 33 33 34 static int demo_mode = False; … … 51 52 #define ENABLE_USER_FLAG "enable_user_flag" 52 53 #define RHOST "remote_host" 54 #define XSRF_TOKEN "xsrf" 55 #define XSRF_TIME "xsrf_time" 56 #define XSRF_TIMEOUT 300 53 57 54 58 #define _(x) lang_msg_rotate(talloc_tos(),x) … … 138 142 return parmname; 139 143 } 144 145 void get_xsrf_token(const char *username, const char *pass, 146 const char *formname, time_t xsrf_time, char token_str[33]) 147 { 148 struct MD5Context md5_ctx; 149 uint8_t token[16]; 150 int i; 151 152 token_str[0] = '\0'; 153 ZERO_STRUCT(md5_ctx); 154 MD5Init(&md5_ctx); 155 156 MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname)); 157 MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t)); 158 if (username != NULL) { 159 MD5Update(&md5_ctx, (uint8_t *)username, strlen(username)); 160 } 161 if (pass != NULL) { 162 MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass)); 163 } 164 165 MD5Final(token, &md5_ctx); 166 167 for(i = 0; i < sizeof(token); i++) { 168 char tmp[3]; 169 170 snprintf(tmp, sizeof(tmp), "%02x", token[i]); 171 strncat(token_str, tmp, sizeof(tmp)); 172 } 173 } 174 175 void print_xsrf_token(const char *username, const char *pass, 176 const char *formname) 177 { 178 char token[33]; 179 time_t xsrf_time = time(NULL); 180 181 get_xsrf_token(username, pass, formname, xsrf_time, token); 182 printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n", 183 XSRF_TOKEN, token); 184 printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n", 185 XSRF_TIME, (long long int)xsrf_time); 186 } 187 188 bool verify_xsrf_token(const char *formname) 189 { 190 char expected[33]; 191 const char *username = cgi_user_name(); 192 const char *pass = cgi_user_pass(); 193 const char *token = cgi_variable_nonull(XSRF_TOKEN); 194 const char *time_str = cgi_variable_nonull(XSRF_TIME); 195 time_t xsrf_time = 0; 196 time_t now = time(NULL); 197 198 if (sizeof(time_t) == sizeof(int)) { 199 xsrf_time = atoi(time_str); 200 } else if (sizeof(time_t) == sizeof(long)) { 201 xsrf_time = atol(time_str); 202 } else if (sizeof(time_t) == sizeof(long long)) { 203 xsrf_time = atoll(time_str); 204 } 205 206 if (abs(now - xsrf_time) > XSRF_TIMEOUT) { 207 return false; 208 } 209 210 get_xsrf_token(username, pass, formname, xsrf_time, expected); 211 return (strncmp(expected, token, sizeof(expected)) == 0); 212 } 213 140 214 141 215 /**************************************************************************** … … 612 686 { 613 687 int full_view=0; 688 const char form_name[] = "viewconfig"; 689 690 if (!verify_xsrf_token(form_name)) { 691 goto output_page; 692 } 614 693 615 694 if (cgi_variable("full_view")) { … … 617 696 } 618 697 698 output_page: 619 699 printf("<H2>%s</H2>\n", _("Current Config")); 620 700 printf("<form method=post>\n"); 701 print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); 621 702 622 703 if (full_view) { … … 638 719 { 639 720 unsigned int parm_filter = FLAG_WIZARD; 721 const char form_name[] = "wizard_params"; 640 722 641 723 /* Here we first set and commit all the parameters that were selected … … 643 725 644 726 printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page")); 727 728 if (!verify_xsrf_token(form_name)) { 729 goto output_page; 730 } 645 731 646 732 if (cgi_variable("Commit")) { … … 649 735 } 650 736 737 output_page: 651 738 printf("<form name=\"swatform\" method=post action=wizard_params>\n"); 739 print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); 652 740 653 741 if (have_write_access) { … … 685 773 int HomeExpo = 0; 686 774 int SerType = 0; 775 const char form_name[] = "wizard"; 776 777 if (!verify_xsrf_token(form_name)) { 778 goto output_page; 779 } 687 780 688 781 if (cgi_variable("Rewrite")) { … … 775 868 776 869 role = lp_server_role(); 777 870 871 output_page: 778 872 /* Here we go ... */ 779 873 printf("<H2>%s</H2>\n", _("Samba Configuration Wizard")); 780 874 printf("<form method=post action=wizard>\n"); 875 print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); 781 876 782 877 if (have_write_access) { … … 847 942 unsigned int parm_filter = FLAG_BASIC; 848 943 int mode = 0; 944 const char form_name[] = "globals"; 849 945 850 946 printf("<H2>%s</H2>\n", _("Global Parameters")); 947 948 if (!verify_xsrf_token(form_name)) { 949 goto output_page; 950 } 851 951 852 952 if (cgi_variable("Commit")) { … … 862 962 mode = 1; 863 963 964 output_page: 864 965 printf("<form name=\"swatform\" method=post action=globals>\n"); 966 print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); 865 967 866 968 ViewModeBoxes( mode ); … … 902 1004 unsigned int parm_filter = FLAG_BASIC; 903 1005 size_t converted_size; 1006 const char form_name[] = "shares"; 1007 1008 printf("<H2>%s</H2>\n", _("Share Parameters")); 1009 1010 if (!verify_xsrf_token(form_name)) { 1011 goto output_page; 1012 } 904 1013 905 1014 if (share) 906 1015 snum = lp_servicenumber(share); 907 1016 908 printf("<H2>%s</H2>\n", _("Share Parameters"));909 1017 910 1018 if (cgi_variable("Commit") && snum >= 0) { … … 932 1040 } 933 1041 934 printf("<FORM name=\"swatform\" method=post>\n");935 936 printf("<table>\n");937 938 1042 if ( cgi_variable("ViewMode") ) 939 1043 mode = atoi(cgi_variable_nonull("ViewMode")); … … 942 1046 if ( cgi_variable("AdvMode")) 943 1047 mode = 1; 1048 1049 output_page: 1050 printf("<FORM name=\"swatform\" method=post>\n"); 1051 print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); 1052 1053 printf("<table>\n"); 944 1054 945 1055 ViewModeBoxes( mode ); … … 1122 1232 printf("<p>"); 1123 1233 if (rslt == True) { 1124 printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER)); 1125 printf("\n"); 1234 printf("%s\n", _(" The passwd has been changed.")); 1126 1235 } else { 1127 printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER)); 1128 printf("\n"); 1236 printf("%s\n", _(" The passwd has NOT been changed.")); 1129 1237 } 1130 1238 } … … 1139 1247 { 1140 1248 const char *new_name = cgi_user_name(); 1141 1142 /* 1143 * After the first time through here be nice. If the user 1144 * changed the User box text to another users name, remember it. 1145 */ 1146 if (cgi_variable(SWAT_USER)) { 1147 new_name = cgi_variable_nonull(SWAT_USER); 1148 } 1249 const char passwd_form[] = "passwd"; 1250 const char rpasswd_form[] = "rpasswd"; 1149 1251 1150 1252 if (!new_name) new_name = ""; … … 1153 1255 1154 1256 printf("<FORM name=\"swatform\" method=post>\n"); 1257 print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form); 1155 1258 1156 1259 printf("<table>\n"); … … 1192 1295 * requested. It could be this is the first time through this 1193 1296 * code, so there isn't anything to do. */ 1194 if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) || 1195 (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) { 1297 if (verify_xsrf_token(passwd_form) && 1298 ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) || 1299 (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) { 1196 1300 chg_passwd(); 1197 1301 } … … 1200 1304 1201 1305 printf("<FORM name=\"swatform\" method=post>\n"); 1306 print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form); 1202 1307 1203 1308 printf("<table>\n"); … … 1232 1337 * is the first time through this code, so there isn't 1233 1338 * anything to do. */ 1234 if ( cgi_variable(CHG_R_PASSWD_FLAG)) {1339 if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) { 1235 1340 chg_passwd(); 1236 1341 } … … 1249 1354 int mode = 0; 1250 1355 unsigned int parm_filter = FLAG_BASIC; 1356 const char form_name[] = "printers"; 1357 1358 if (!verify_xsrf_token(form_name)) { 1359 goto output_page; 1360 } 1251 1361 1252 1362 if (share) 1253 1363 snum = lp_servicenumber(share); 1254 1255 printf("<H2>%s</H2>\n", _("Printer Parameters"));1256 1257 printf("<H3>%s</H3>\n", _("Important Note:"));1258 printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));1259 printf("%s",_("are autoloaded printers from "));1260 printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));1261 printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));1262 1364 1263 1365 if (cgi_variable("Commit") && snum >= 0) { … … 1289 1391 } 1290 1392 1291 printf("<FORM name=\"swatform\" method=post>\n");1292 1293 1393 if ( cgi_variable("ViewMode") ) 1294 1394 mode = atoi(cgi_variable_nonull("ViewMode")); … … 1297 1397 if ( cgi_variable("AdvMode")) 1298 1398 mode = 1; 1399 1400 output_page: 1401 printf("<H2>%s</H2>\n", _("Printer Parameters")); 1402 1403 printf("<H3>%s</H3>\n", _("Important Note:")); 1404 printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box ")); 1405 printf("%s",_("are autoloaded printers from ")); 1406 printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name")); 1407 printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect.")); 1408 1409 1410 printf("<FORM name=\"swatform\" method=post>\n"); 1411 print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); 1299 1412 1300 1413 ViewModeBoxes( mode ); -
trunk/server/source3/web/swat_proto.h
r414 r617 32 32 bool am_root(void); 33 33 char *cgi_user_name(void); 34 char *cgi_user_pass(void); 34 35 void cgi_setup(const char *rootdir, int auth_required); 35 36 const char *cgi_baseurl(void); … … 67 68 68 69 const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid); 70 void get_xsrf_token(const char *username, const char *pass, 71 const char *formname, time_t xsrf_time, char token_str[33]); 72 void print_xsrf_token(const char *username, const char *pass, 73 const char *formname); 74 bool verify_xsrf_token(const char *formname); 69 75 70 76 #endif /* _SWAT_PROTO_H_ */
Note:
See TracChangeset
for help on using the changeset viewer.