diff options
author | Kai Blin <kai@samba.org> | 2013-01-18 23:11:07 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-01-29 09:48:08 +0100 |
commit | 71225948a249f079120282740fcc39fd6faa880e (patch) | |
tree | 5b950ae37dfa9068fe08d4401e8bd42b63d87b51 /source3 | |
parent | 184d5ab26a553ca7ef3f529e90e4dd8c9aded75d (diff) | |
download | samba-71225948a249f079120282740fcc39fd6faa880e.tar.gz |
swat: Use X-Frame-Options header to avoid clickjacking
Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.
Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/web/swat.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/source3/web/swat.c b/source3/web/swat.c index 1f6eb6c4d42..ed80c383dc8 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -266,7 +266,8 @@ static void print_header(void) if (!cgi_waspost()) { printf("Expires: 0\r\n"); } - printf("Content-type: text/html\r\n\r\n"); + printf("Content-type: text/html\r\n"); + printf("X-Frame-Options: DENY\r\n\r\n"); if (!include_html("include/header.html")) { printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n"); |