swat: Use X-Frame-Options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where the SWAT page could be embedded into an attacker's page using a frame or iframe and then used to trick the user to change Samba settings. Avoid this by telling the browser to refuse the frame embedding via the X-Frame-Options: DENY header. Signed-off-by: Kai Blin <kai@samba.org> Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
author: Kai Blin <kai@samba.org> 2013-01-18 23:11:07 +0100
committer: Karolin Seeger <kseeger@samba.org> 2013-01-29 11:16:41 +0100
commit: 4f24f1c72088867e683bcd2207807ef4da272420 (patch)
tree: 739348cf19d5b4b5b9502c3b81d3a1b3a701b7f7
parent: d2e900757d8e8e2a82cb14e79814ed3cbc8d93c1 (diff)
download: samba-4f24f1c72088867e683bcd2207807ef4da272420.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 90e4af9958f..1eb191d5da4 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -269,7 +269,8 @@ static void print_header(void)
 	if (!cgi_waspost()) {
 		printf("Expires: 0\r\n");
 	}
-	printf("Content-type: text/html\r\n\r\n");
+	printf("Content-type: text/html\r\n");
+	printf("X-Frame-Options: DENY\r\n\r\n");
 
 	if (!include_html("include/header.html")) {
 		printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
author	Kai Blin <kai@samba.org>	2013-01-18 23:11:07 +0100
committer	Karolin Seeger <kseeger@samba.org>	2013-01-29 11:16:41 +0100
commit	4f24f1c72088867e683bcd2207807ef4da272420 (patch)
tree	739348cf19d5b4b5b9502c3b81d3a1b3a701b7f7
parent	d2e900757d8e8e2a82cb14e79814ed3cbc8d93c1 (diff)
download	samba-4f24f1c72088867e683bcd2207807ef4da272420.tar.gz