diff options
Diffstat (limited to 'package/samba/samba-01CVE-2011-2522.patch')
| -rw-r--r-- | package/samba/samba-01CVE-2011-2522.patch | 749 |
1 files changed, 749 insertions, 0 deletions
diff --git a/package/samba/samba-01CVE-2011-2522.patch b/package/samba/samba-01CVE-2011-2522.patch new file mode 100644 index 000000000..7d48b554c --- /dev/null +++ b/package/samba/samba-01CVE-2011-2522.patch @@ -0,0 +1,749 @@ +From b610e0cee563465c6b970647b215f8ae4d0c6599 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 12:56:21 +0200 +Subject: [PATCH 01/12] s3 swat: Allow getting the user's HTTP auth password + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/cgi.c | 9 +++++++++ + source/web/swat_proto.h | 1 + + 2 files changed, 10 insertions(+), 0 deletions(-) + +diff --git a/source/web/cgi.c b/source/web/cgi.c +index 72aa11c..ccdc3a7 100644 +--- a/source/web/cgi.c ++++ b/source/web/cgi.c +@@ -42,6 +42,7 @@ static char *query_string; + static const char *baseurl; + static char *pathinfo; + static char *C_user; ++static char *C_pass; + static bool inetd_server; + static bool got_request; + +@@ -388,6 +389,7 @@ static bool cgi_handle_authorization(char *line) + + /* Save the users name */ + C_user = SMB_STRDUP(user); ++ C_pass = SMB_STRDUP(user_pass); + TALLOC_FREE(pass); + return True; + } +@@ -422,6 +424,13 @@ char *cgi_user_name(void) + return(C_user); + } + ++/*************************************************************************** ++return a ptr to the users password ++ ***************************************************************************/ ++char *cgi_user_pass(void) ++{ ++ return(C_pass); ++} + + /*************************************************************************** + handle a file download +diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h +index 0f84e4f..76f9c3c 100644 +--- a/source/web/swat_proto.h ++++ b/source/web/swat_proto.h +@@ -31,6 +31,7 @@ const char *cgi_variable(const char *name); + const char *cgi_variable_nonull(const char *name); + bool am_root(void); + char *cgi_user_name(void); ++char *cgi_user_pass(void); + void cgi_setup(const char *rootdir, int auth_required); + const char *cgi_baseurl(void); + const char *cgi_pathinfo(void); +-- +1.7.1 + + +From 3806fec53dcf3b6e5c3fd71917f9d67d47c65e32 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 12:57:43 +0200 +Subject: [PATCH 02/12] s3 swat: Add support for anti-XSRF token + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++ + source/web/swat_proto.h | 5 ++++ + 2 files changed, 59 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 434b1ac..e7d84e5 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -29,6 +29,7 @@ + + #include "includes.h" + #include "web/swat_proto.h" ++#include "../lib/crypto/md5.h" + + static int demo_mode = False; + static int passwd_only = False; +@@ -50,6 +51,7 @@ static int iNumNonAutoPrintServices = 0; + #define DISABLE_USER_FLAG "disable_user_flag" + #define ENABLE_USER_FLAG "enable_user_flag" + #define RHOST "remote_host" ++#define XSRF_TOKEN "xsrf" + + #define _(x) lang_msg_rotate(talloc_tos(),x) + +@@ -138,6 +140,58 @@ static char *make_parm_name(const char *label) + return parmname; + } + ++void get_xsrf_token(const char *username, const char *pass, ++ const char *formname, char token_str[33]) ++{ ++ struct MD5Context md5_ctx; ++ uint8_t token[16]; ++ int i; ++ ++ token_str[0] = '\0'; ++ ZERO_STRUCT(md5_ctx); ++ MD5Init(&md5_ctx); ++ ++ MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname)); ++ if (username != NULL) { ++ MD5Update(&md5_ctx, (uint8_t *)username, strlen(username)); ++ } ++ if (pass != NULL) { ++ MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass)); ++ } ++ ++ MD5Final(token, &md5_ctx); ++ ++ for(i = 0; i < sizeof(token); i++) { ++ char tmp[3]; ++ ++ snprintf(tmp, sizeof(tmp), "%02x", token[i]); ++ strncat(token_str, tmp, sizeof(tmp)); ++ } ++} ++ ++void print_xsrf_token(const char *username, const char *pass, ++ const char *formname) ++{ ++ char token[33]; ++ ++ get_xsrf_token(username, pass, formname, token); ++ printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n", ++ XSRF_TOKEN, token); ++ ++} ++ ++bool verify_xsrf_token(const char *formname) ++{ ++ char expected[33]; ++ const char *username = cgi_user_name(); ++ const char *pass = cgi_user_pass(); ++ const char *token = cgi_variable_nonull(XSRF_TOKEN); ++ ++ get_xsrf_token(username, pass, formname, expected); ++ return (strncmp(expected, token, sizeof(expected)) == 0); ++} ++ ++ + /**************************************************************************** + include a lump of html in a page + ****************************************************************************/ +diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h +index 76f9c3c..e66c942 100644 +--- a/source/web/swat_proto.h ++++ b/source/web/swat_proto.h +@@ -67,5 +67,10 @@ void status_page(void); + /* The following definitions come from web/swat.c */ + + const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid); ++void get_xsrf_token(const char *username, const char *pass, ++ const char *formname, char token_str[33]); ++void print_xsrf_token(const char *username, const char *pass, ++ const char *formname); ++bool verify_xsrf_token(const char *formname); + + #endif /* _SWAT_PROTO_H_ */ +-- +1.7.1 + + +From 3f38cf42facc38c19e0448cbae3078b9606b08e4 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 12:58:53 +0200 +Subject: [PATCH 03/12] s3 swat: Add XSRF protection to status page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/statuspage.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/statuspage.c b/source/web/statuspage.c +index 8070ae7..fe545e4 100644 +--- a/source/web/statuspage.c ++++ b/source/web/statuspage.c +@@ -247,9 +247,14 @@ void status_page(void) + int nr_running=0; + bool waitup = False; + TALLOC_CTX *ctx = talloc_stackframe(); ++ const char form_name[] = "status"; + + smbd_pid = pid_to_procid(pidfile_pid("smbd")); + ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } ++ + if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) { + stop_smbd(); + start_smbd(); +@@ -326,9 +331,11 @@ void status_page(void) + + initPid2Machine (); + ++output_page: + printf("<H2>%s</H2>\n", _("Server Status")); + + printf("<FORM method=post>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (!autorefresh) { + printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh")); +-- +1.7.1 + + +From ba996f0ae87f6bf4f19a4918e44dbd6d44a96561 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 15:02:53 +0200 +Subject: [PATCH 04/12] s3 swat: Add XSRF protection to viewconfig page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index e7d84e5..647126f 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -664,13 +664,20 @@ static void welcome_page(void) + static void viewconfig_page(void) + { + int full_view=0; ++ const char form_name[] = "viewconfig"; ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (cgi_variable("full_view")) { + full_view = 1; + } + ++output_page: + printf("<H2>%s</H2>\n", _("Current Config")); + printf("<form method=post>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (full_view) { + printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View")); +-- +1.7.1 + + +From 94f8482607a175c44436fae456fbda3624629982 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 15:03:15 +0200 +Subject: [PATCH 05/12] s3 swat: Add XSRF protection to wizard_params page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 647126f..b7eec4a 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -697,18 +697,25 @@ output_page: + static void wizard_params_page(void) + { + unsigned int parm_filter = FLAG_WIZARD; ++ const char form_name[] = "wizard_params"; + + /* Here we first set and commit all the parameters that were selected + in the previous screen. */ + + printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page")); + ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } ++ + if (cgi_variable("Commit")) { + commit_parameters(GLOBAL_SECTION_SNUM); + save_reload(0); + } + ++output_page: + printf("<form name=\"swatform\" method=post action=wizard_params>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (have_write_access) { + printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n"); +-- +1.7.1 + + +From eb22fd73060534700d514ec295985549131c7569 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 15:03:44 +0200 +Subject: [PATCH 06/12] s3 swat: Add XSRF protection to wizard page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index b7eec4a..b6e0c0f 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -751,6 +751,11 @@ static void wizard_page(void) + int have_home = -1; + int HomeExpo = 0; + int SerType = 0; ++ const char form_name[] = "wizard"; ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (cgi_variable("Rewrite")) { + (void) rewritecfg_file(); +@@ -841,10 +846,12 @@ static void wizard_page(void) + winstype = 3; + + role = lp_server_role(); +- ++ ++output_page: + /* Here we go ... */ + printf("<H2>%s</H2>\n", _("Samba Configuration Wizard")); + printf("<form method=post action=wizard>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (have_write_access) { + printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments.")); +-- +1.7.1 + + +From 8fb3064eeaa3640af6c8b91aa5859d8bfb6d0888 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 15:04:12 +0200 +Subject: [PATCH 07/12] s3 swat: Add XSRF protection to globals page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index b6e0c0f..5d11685 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -920,9 +920,14 @@ static void globals_page(void) + { + unsigned int parm_filter = FLAG_BASIC; + int mode = 0; ++ const char form_name[] = "globals"; + + printf("<H2>%s</H2>\n", _("Global Parameters")); + ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } ++ + if (cgi_variable("Commit")) { + commit_parameters(GLOBAL_SECTION_SNUM); + save_reload(0); +@@ -935,7 +940,9 @@ static void globals_page(void) + if ( cgi_variable("AdvMode")) + mode = 1; + ++output_page: + printf("<form name=\"swatform\" method=post action=globals>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + ViewModeBoxes( mode ); + switch ( mode ) { +-- +1.7.1 + + +From ef457a20422cfa8231e25b539d2cd87f299686b9 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 15:04:48 +0200 +Subject: [PATCH 08/12] s3 swat: Add XSRF protection to shares page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 18 +++++++++++++----- + 1 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 5d11685..4544c31 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -982,11 +982,17 @@ static void shares_page(void) + int mode = 0; + unsigned int parm_filter = FLAG_BASIC; + size_t converted_size; ++ const char form_name[] = "shares"; ++ ++ printf("<H2>%s</H2>\n", _("Share Parameters")); ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (share) + snum = lp_servicenumber(share); + +- printf("<H2>%s</H2>\n", _("Share Parameters")); + + if (cgi_variable("Commit") && snum >= 0) { + commit_parameters(snum); +@@ -1012,10 +1018,6 @@ static void shares_page(void) + } + } + +- printf("<FORM name=\"swatform\" method=post>\n"); +- +- printf("<table>\n"); +- + if ( cgi_variable("ViewMode") ) + mode = atoi(cgi_variable_nonull("ViewMode")); + if ( cgi_variable("BasicMode")) +@@ -1023,6 +1025,12 @@ static void shares_page(void) + if ( cgi_variable("AdvMode")) + mode = 1; + ++output_page: ++ printf("<FORM name=\"swatform\" method=post>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); ++ ++ printf("<table>\n"); ++ + ViewModeBoxes( mode ); + switch ( mode ) { + case 0: +-- +1.7.1 + + +From 4850456845d2da5e3451716a5ad4ca0ef034e01f Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 15:05:38 +0200 +Subject: [PATCH 09/12] s3 swat: Add XSRF protection to password page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 4544c31..5242484 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -1225,12 +1225,15 @@ static void chg_passwd(void) + static void passwd_page(void) + { + const char *new_name = cgi_user_name(); ++ const char passwd_form[] = "passwd"; ++ const char rpasswd_form[] = "rpasswd"; + + if (!new_name) new_name = ""; + + printf("<H2>%s</H2>\n", _("Server Password Management")); + + printf("<FORM name=\"swatform\" method=post>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form); + + printf("<table>\n"); + +@@ -1270,14 +1273,16 @@ static void passwd_page(void) + * Do some work if change, add, disable or enable was + * requested. It could be this is the first time through this + * code, so there isn't anything to do. */ +- if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) || +- (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) { ++ if (verify_xsrf_token(passwd_form) && ++ ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) || ++ (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) { + chg_passwd(); + } + + printf("<H2>%s</H2>\n", _("Client/Server Password Management")); + + printf("<FORM name=\"swatform\" method=post>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form); + + printf("<table>\n"); + +@@ -1310,7 +1315,7 @@ static void passwd_page(void) + * password somewhere other than the server. It could be this + * is the first time through this code, so there isn't + * anything to do. */ +- if (cgi_variable(CHG_R_PASSWD_FLAG)) { ++ if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) { + chg_passwd(); + } + +-- +1.7.1 + + +From 407ae61fbfc8ee1643a4db8ea9b104f031b32e0f Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Fri, 8 Jul 2011 15:06:13 +0200 +Subject: [PATCH 10/12] s3 swat: Add XSRF protection to printer page + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 28 ++++++++++++++++++---------- + 1 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 5242484..4582a63 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -1332,18 +1332,15 @@ static void printers_page(void) + int i; + int mode = 0; + unsigned int parm_filter = FLAG_BASIC; ++ const char form_name[] = "printers"; ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (share) + snum = lp_servicenumber(share); + +- printf("<H2>%s</H2>\n", _("Printer Parameters")); +- +- printf("<H3>%s</H3>\n", _("Important Note:")); +- printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box ")); +- printf("%s",_("are autoloaded printers from ")); +- printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name")); +- printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect.")); +- + if (cgi_variable("Commit") && snum >= 0) { + commit_parameters(snum); + if (snum >= iNumNonAutoPrintServices) +@@ -1372,8 +1369,6 @@ static void printers_page(void) + } + } + +- printf("<FORM name=\"swatform\" method=post>\n"); +- + if ( cgi_variable("ViewMode") ) + mode = atoi(cgi_variable_nonull("ViewMode")); + if ( cgi_variable("BasicMode")) +@@ -1381,6 +1376,19 @@ static void printers_page(void) + if ( cgi_variable("AdvMode")) + mode = 1; + ++output_page: ++ printf("<H2>%s</H2>\n", _("Printer Parameters")); ++ ++ printf("<H3>%s</H3>\n", _("Important Note:")); ++ printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box ")); ++ printf("%s",_("are autoloaded printers from ")); ++ printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name")); ++ printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect.")); ++ ++ ++ printf("<FORM name=\"swatform\" method=post>\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); ++ + ViewModeBoxes( mode ); + switch ( mode ) { + case 0: +-- +1.7.1 + + +From 11e281228f334bf3d384df5655136f0b4b4068aa Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Sat, 9 Jul 2011 09:52:07 +0200 +Subject: [PATCH 11/12] s3 swat: Add time component to XSRF token + +Signed-off-by: Kai Blin <kai@samba.org> +--- + source/web/swat.c | 28 ++++++++++++++++++++++++---- + source/web/swat_proto.h | 2 +- + 2 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 4582a63..50df66e 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -52,6 +52,8 @@ static int iNumNonAutoPrintServices = 0; + #define ENABLE_USER_FLAG "enable_user_flag" + #define RHOST "remote_host" + #define XSRF_TOKEN "xsrf" ++#define XSRF_TIME "xsrf_time" ++#define XSRF_TIMEOUT 300 + + #define _(x) lang_msg_rotate(talloc_tos(),x) + +@@ -141,7 +143,7 @@ static char *make_parm_name(const char *label) + } + + void get_xsrf_token(const char *username, const char *pass, +- const char *formname, char token_str[33]) ++ const char *formname, time_t xsrf_time, char token_str[33]) + { + struct MD5Context md5_ctx; + uint8_t token[16]; +@@ -152,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass, + MD5Init(&md5_ctx); + + MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname)); ++ MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t)); + if (username != NULL) { + MD5Update(&md5_ctx, (uint8_t *)username, strlen(username)); + } +@@ -173,11 +176,13 @@ void print_xsrf_token(const char *username, const char *pass, + const char *formname) + { + char token[33]; ++ time_t xsrf_time = time(NULL); + +- get_xsrf_token(username, pass, formname, token); ++ get_xsrf_token(username, pass, formname, xsrf_time, token); + printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n", + XSRF_TOKEN, token); +- ++ printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n", ++ XSRF_TIME, (long long int)xsrf_time); + } + + bool verify_xsrf_token(const char *formname) +@@ -186,8 +191,23 @@ bool verify_xsrf_token(const char *formname) + const char *username = cgi_user_name(); + const char *pass = cgi_user_pass(); + const char *token = cgi_variable_nonull(XSRF_TOKEN); ++ const char *time_str = cgi_variable_nonull(XSRF_TIME); ++ time_t xsrf_time = 0; ++ time_t now = time(NULL); ++ ++ if (sizeof(time_t) == sizeof(int)) { ++ xsrf_time = atoi(time_str); ++ } else if (sizeof(time_t) == sizeof(long)) { ++ xsrf_time = atol(time_str); ++ } else if (sizeof(time_t) == sizeof(long long)) { ++ xsrf_time = atoll(time_str); ++ } ++ ++ if (abs(now - xsrf_time) > XSRF_TIMEOUT) { ++ return false; ++ } + +- get_xsrf_token(username, pass, formname, expected); ++ get_xsrf_token(username, pass, formname, xsrf_time, expected); + return (strncmp(expected, token, sizeof(expected)) == 0); + } + +diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h +index e66c942..424a3af 100644 +--- a/source/web/swat_proto.h ++++ b/source/web/swat_proto.h +@@ -68,7 +68,7 @@ void status_page(void); + + const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid); + void get_xsrf_token(const char *username, const char *pass, +- const char *formname, char token_str[33]); ++ const char *formname, time_t xsrf_time, char token_str[33]); + void print_xsrf_token(const char *username, const char *pass, + const char *formname); + bool verify_xsrf_token(const char *formname); +-- +1.7.1 + + +From 3973cfa50024983618a44ffdb9f756b642b85be7 Mon Sep 17 00:00:00 2001 +From: Kai Blin <kai@samba.org> +Date: Tue, 12 Jul 2011 08:08:24 +0200 +Subject: [PATCH 12/12] s3 swat: Create random nonce in CGI mode + +In CGI mode, we don't get access to the user's password, which would +reduce the hash used so far to parameters an attacker can easily guess. +To work around this, read the nonce from secrets.tdb or generate one if +it's not there. +Also populate the C_user field so we can use that for token creation. + +Signed-off-by: Kai Blin <kai@samba.org> + +The last 12 patches address bug #8290 (CSRF vulnerability in SWAT). +This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT). +--- + source/web/cgi.c | 18 +++++++++++++++++- + source/web/swat.c | 1 - + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/source/web/cgi.c b/source/web/cgi.c +index ccdc3a7..890ac8e 100644 +--- a/source/web/cgi.c ++++ b/source/web/cgi.c +@@ -19,6 +19,7 @@ + + #include "includes.h" + #include "web/swat_proto.h" ++#include "secrets.h" + + #define MAX_VARIABLES 10000 + +@@ -321,7 +322,22 @@ static void cgi_web_auth(void) + exit(0); + } + +- setuid(0); ++ C_user = SMB_STRDUP(user); ++ ++ if (!setuid(0)) { ++ C_pass = secrets_fetch_generic("root", "SWAT"); ++ if (C_pass == NULL) { ++ char *tmp_pass = NULL; ++ tmp_pass = generate_random_str(16); ++ if (tmp_pass == NULL) { ++ printf("%sFailed to create random nonce for " ++ "SWAT session\n<br>%s\n", head, tail); ++ exit(0); ++ } ++ secrets_store_generic("root", "SWAT", tmp_pass); ++ C_pass = SMB_STRDUP(tmp_pass); ++ } ++ } + setuid(pwd->pw_uid); + if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) { + printf("%sFailed to become user %s - uid=%d/%d<br>%s\n", +diff --git a/source/web/swat.c b/source/web/swat.c +index 50df66e..146f1cf 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -29,7 +29,6 @@ + + #include "includes.h" + #include "web/swat_proto.h" +-#include "../lib/crypto/md5.h" + + static int demo_mode = False; + static int passwd_only = False; +-- +1.7.1 + |