[Vulnerability Information] This vulnerability was found and reported by the original finder. -Reference Number: JVN#63041502 -Title: Swat contains a cross-site scripting vulnerability -Affected Products: swat(samba web administration tool) of samba version 3.0.24 *swat is included in samba package, therefore the samba version is described here. -Type of Vulnerability: Cross-site-scripting -Possible Impact: User information from a cookie could be stolen. An arbitrary web page could be injected. -Possible Workarounds: Sanitize meta characters when displaying the characters which the vulnerable application receives. -Brief Reproduction Information provided by the reporter: In the password resetting window after login, --------------------------- http://serverIP:901/passwd --------------------------- set --------------------------- ""><script>alert('xss');<script> --------------------------- in the username parameter and send the request. -Proof of Concept Code None -Validation: The result of validation will be available on March 9, 2007. -About Reporter: Reporter's information is distributable to the vendor and JPCERT/CC. The reporter requests an acknowledgment/credit in both vendor's and JVN advisories when publicly disclosed. About Reporter: Nobuhiro Tsuji, NTT DATA SECURITY CORPORATION Email:nobuhiro_tsuji@nttdata-sec.co.jp [REPRODUCTION PROCEDURES] IPA* has validated the reported vulnerability and verified its reproduction successfully. *What's IPA? IPA = Information-technology Promotion Agency, Japan (http://www.ipa.go.jp/security/english/anti-virus-e.html) Our partner entity who receives the vulnerability reports from the original finders/reporters, and then validates them and verifies their reproductions, and passes those verified vulnerabilities to JPCERT/CC for vendor coordination. IPA does the deeper analysis and JPCERT/CC does coordination. Both IPA and JPCERT/CC are government designated entities to handle vulnerabilities information under the Early Warning Partnership in Information Security guideline. <ENVIRONMENT> Web Server: ------------------ OS: Vine Linux 4.0 Software: swat 3.0.24 Server and related software: -Apache 2.2.3 -inetd 3.10 -samba 3.0.24 IP Address: 192.168.121.128 Configuration: Set it by using following URL as a reference. http://www.samba.gr.jp/doc/contrib/begin_samba2.0.html Language: Japanese ------------------ Client ------------------ OS: Windows 2000 Professional SP4 Web Browser: -Internet Explorer 6 SP1 -Mozilla Firefox 2.0.0.2 -Opera 9.10 IP Address: 192.168.121.129 Language: Japanese ------------------ <REPRODUCTION STEPS> 1. Access to http://192.168.121.128:901/ from the IE installed client, and then enter the password and ID to login. 2. Click "PASSWORD" displayed on the right side of the window, then the window transfers. Enter the following script in "User Name" input field and then click "Change Password" button. ------------------------------------------------------- ""><script>alert("xss");</script ------------------------------------------------------- Then the script entered above is to be executed. 3. To check the execution of the script and behavior on each browser, change the web browser from IE to Firefox, and to Opera, then repeat Reproduction Step 2. on each browser. Verify that the script is executed on each browser(IE, Firefox, and Opera). IPA verified the script execution and there was a cross-site scripting vulnerability in swat. <COMMENT FROM IPA> This only affects to the users who are able to log into swat. It may be possible that a remote attacker could possibly force a user to temporarily view a malicious forged web page, if it exploits
reduced visibility to team only
Code unchanged for 3.6.0 so far, looks like a blocker. Will work on a fix asap.
Created attachment 6684 [details] Proposed fix for git master Proposed patch for git master
Created attachment 6685 [details] Proposed fix for 3.6 Proposed patch for 3.6
Created attachment 6686 [details] Proposed fix for 3.5 Proposed fix for 3.5
Created attachment 6687 [details] Proposed fix for 3.4 Proposed fix for 3.4
Created attachment 6688 [details] Proposed fix for 3.3 Proposed fix for 3.3
Fixes for 3.2 and 3.0 still need some work.
Created attachment 6694 [details] Proposed patch for 3.0.x Because I feel sorry for Apple :-). Jeremy.
Created attachment 6696 [details] Proposed fix for 3.2 Proposed fix for 3.2
These fixes look good to me - however I am not a security expert - especially on web-based security. The patches will need to be also reviewed by the security Teams of the Linux distributions. Re-assigning to Karolin so this task can proceed. Jeremy.
(In reply to comment #11) > These fixes look good to me - however I am not a security expert - especially > on web-based security. The patches will need to be also reviewed by the > security Teams of the Linux distributions. > > Re-assigning to Karolin so this task can proceed. > > Jeremy. Sorry to catch this late but there is a minor typo in the patch: + printf("%s\n", _(" The passwd for has NOT been changed.")); The 'for' in the message should be removed.
Patches have been pushed to v3-3-test, v3-4-test, v3-5-test and v3-6-test. Samba 3.3.16, 3.4.14 and 3.5.10 include these patches, Samba 3.6.0rc3 will also. Re-assigning to Kai to push them to the master branch.
Jeremy pushed this to master already, marking as fixed.