diff options
author | Kai Blin <kai@samba.org> | 2013-01-28 21:41:07 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-01-30 11:38:53 +0100 |
commit | a36370e6d511da8d9e77c845778cce7fa627b994 (patch) | |
tree | 2c3e9a550469d4057a5eedfa079b64ffae962419 /source3/web | |
parent | 4eb9c2d365e9238566f1155e1db440b7c92da4bb (diff) | |
download | samba-a36370e6d511da8d9e77c845778cce7fa627b994.tar.gz |
swat: Use additional nonce on XSRF protection
If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.
Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.
(cherry picked from commit 91f4275873ebeda8f57684f09df67162ae80515a)
Diffstat (limited to 'source3/web')
-rw-r--r-- | source3/web/cgi.c | 40 | ||||
-rw-r--r-- | source3/web/swat.c | 2 | ||||
-rw-r--r-- | source3/web/swat_proto.h | 1 |
3 files changed, 29 insertions, 14 deletions
diff --git a/source3/web/cgi.c b/source3/web/cgi.c index ef1b8562fa7..861bc84a28b 100644 --- a/source3/web/cgi.c +++ b/source3/web/cgi.c @@ -48,6 +48,7 @@ static const char *baseurl; static char *pathinfo; static char *C_user; static char *C_pass; +static char *C_nonce; static bool inetd_server; static bool got_request; @@ -329,20 +330,7 @@ static void cgi_web_auth(void) C_user = SMB_STRDUP(user); if (!setuid(0)) { - C_pass = secrets_fetch_generic("root", "SWAT"); - if (C_pass == NULL) { - char *tmp_pass = NULL; - tmp_pass = generate_random_password(talloc_tos(), - 16, 16); - if (tmp_pass == NULL) { - printf("%sFailed to create random nonce for " - "SWAT session\n<br>%s\n", head, tail); - exit(0); - } - secrets_store_generic("root", "SWAT", tmp_pass); - C_pass = SMB_STRDUP(tmp_pass); - TALLOC_FREE(tmp_pass); - } + C_pass = SMB_STRDUP(cgi_nonce()); } setuid(pwd->pw_uid); if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) { @@ -459,6 +447,30 @@ char *cgi_user_pass(void) } /*************************************************************************** +return a ptr to the nonce + ***************************************************************************/ +char *cgi_nonce(void) +{ + const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n"; + const char *tail = "</BODY></HTML>\r\n"; + C_nonce = secrets_fetch_generic("root", "SWAT"); + if (C_nonce == NULL) { + char *tmp_pass = NULL; + tmp_pass = generate_random_password(talloc_tos(), + 16, 16); + if (tmp_pass == NULL) { + printf("%sFailed to create random nonce for " + "SWAT session\n<br>%s\n", head, tail); + exit(0); + } + secrets_store_generic("root", "SWAT", tmp_pass); + C_nonce = SMB_STRDUP(tmp_pass); + TALLOC_FREE(tmp_pass); + } + return(C_nonce); +} + +/*************************************************************************** handle a file download ***************************************************************************/ static void cgi_download(char *file) diff --git a/source3/web/swat.c b/source3/web/swat.c index ed80c383dc8..f8933d21c84 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -154,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass, MD5_CTX md5_ctx; uint8_t token[16]; int i; + char *nonce = cgi_nonce(); token_str[0] = '\0'; ZERO_STRUCT(md5_ctx); @@ -167,6 +168,7 @@ void get_xsrf_token(const char *username, const char *pass, if (pass != NULL) { MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass)); } + MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce)); MD5Final(token, &md5_ctx); diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h index 424a3af545f..fe51b1f80ad 100644 --- a/source3/web/swat_proto.h +++ b/source3/web/swat_proto.h @@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name); bool am_root(void); char *cgi_user_name(void); char *cgi_user_pass(void); +char *cgi_nonce(void); void cgi_setup(const char *rootdir, int auth_required); const char *cgi_baseurl(void); const char *cgi_pathinfo(void); |