Bug 8289 - Swat contains a cross-site scripting vulnerability; CVE-2011-2694
Swat contains a cross-site scripting vulnerability; CVE-2011-2694
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: SWAT
3.6.0rc2
All All
: P5 major
: ---
Assigned To: Kai Blin
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-06 06:34 UTC by takayuki.uchiyama
Modified: 2012-03-16 23:55 UTC (History)
8 users (show)

See Also:
jra: review+


Attachments
Proposed fix for git master (1.68 KB, patch)
2011-07-12 18:39 UTC, Kai Blin
no flags Details
Proposed fix for 3.6 (1.68 KB, patch)
2011-07-12 18:39 UTC, Kai Blin
no flags Details
Proposed fix for 3.5 (1.68 KB, patch)
2011-07-12 18:40 UTC, Kai Blin
no flags Details
Proposed fix for 3.4 (1.68 KB, patch)
2011-07-12 18:41 UTC, Kai Blin
no flags Details
Proposed fix for 3.3 (1.68 KB, patch)
2011-07-12 18:41 UTC, Kai Blin
no flags Details
Proposed patch for 3.0.x (1.67 KB, patch)
2011-07-12 18:52 UTC, Jeremy Allison
no flags Details
Proposed fix for 3.2 (1.68 KB, patch)
2011-07-12 21:58 UTC, Kai Blin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description takayuki.uchiyama 2011-07-06 06:34:14 UTC
[Vulnerability Information]
 This vulnerability was found and reported by the original finder.

 -Reference Number:
  JVN#63041502

 -Title:
  Swat contains a cross-site scripting vulnerability

 -Affected Products:
  swat(samba web administration tool) of samba version 3.0.24
  *swat is included in samba package, therefore the samba version
   is described here.

 -Type of Vulnerability:
  Cross-site-scripting

 -Possible Impact:
  User information from a cookie could be stolen.
  An arbitrary web page could be injected.

 -Possible Workarounds:
  Sanitize meta characters when displaying the characters
  which the vulnerable application receives.

 -Brief Reproduction Information provided by the reporter:
  In the password resetting window after login,
    ---------------------------
    http://serverIP:901/passwd
    ---------------------------
  set
    ---------------------------
    ""><script>alert('xss');<script>
    ---------------------------
  in the username parameter and send the request.

 -Proof of Concept Code
  None

 -Validation:
  The result of validation will be available on March 9, 2007.

 -About Reporter:
  Reporter's information is distributable to the vendor and JPCERT/CC.
  The reporter requests an acknowledgment/credit in both vendor's and
  JVN advisories when publicly disclosed.

    About Reporter:
     Nobuhiro Tsuji, NTT DATA SECURITY CORPORATION
     Email:nobuhiro_tsuji@nttdata-sec.co.jp


[REPRODUCTION PROCEDURES]
IPA* has validated the reported vulnerability and verified its
reproduction successfully.

  *What's IPA?
   IPA = Information-technology Promotion Agency, Japan
   (http://www.ipa.go.jp/security/english/anti-virus-e.html)
   Our partner entity who receives the vulnerability reports
   from the original finders/reporters, and then validates them
   and verifies their reproductions, and passes those verified
   vulnerabilities to JPCERT/CC for vendor coordination.
   IPA does the deeper analysis and JPCERT/CC does coordination.
   Both IPA and JPCERT/CC are government designated entities to
   handle vulnerabilities information under the Early Warning
   Partnership in Information Security guideline.


 <ENVIRONMENT>

  Web Server:
  ------------------
  OS:
    Vine Linux 4.0
  Software:
    swat 3.0.24
  Server and related software:
    -Apache 2.2.3
    -inetd  3.10
    -samba  3.0.24
  IP Address:
    192.168.121.128
  Configuration:
    Set it by using following URL as a reference.
    http://www.samba.gr.jp/doc/contrib/begin_samba2.0.html
  Language:
    Japanese
  ------------------

  Client
  ------------------
  OS:
    Windows 2000 Professional SP4
  Web Browser:
    -Internet Explorer 6 SP1
    -Mozilla Firefox 2.0.0.2
    -Opera 9.10
  IP Address:
    192.168.121.129
  Language:
    Japanese
  ------------------

 <REPRODUCTION STEPS>

 1. Access to
      http://192.168.121.128:901/
    from the IE installed client, and then enter the
    password and ID to login.

 2. Click "PASSWORD" displayed on the right side of the window,
    then the window transfers.
    Enter the following script in "User Name" input field and
    then click "Change Password" button.
      -------------------------------------------------------
      ""><script>alert("xss");</script
      -------------------------------------------------------
    Then the script entered above is to be executed.

 3. To check the execution of the script and behavior on each browser,
    change the web browser from IE to Firefox, and to Opera, then repeat
    Reproduction Step 2. on each browser.
    Verify that the script is executed on each browser(IE, Firefox, and Opera).

    IPA verified the script execution and there was a cross-site
    scripting vulnerability in swat.

 <COMMENT FROM IPA>
  This only affects to the users who are able to log into swat.
  It may be possible that a remote attacker could possibly force
  a user to temporarily view a malicious forged web page,
  if it exploits
Comment 1 Kai Blin 2011-07-06 08:17:03 UTC
reduced visibility to team only
Comment 2 Kai Blin 2011-07-06 22:33:19 UTC
Code unchanged for 3.6.0 so far, looks like a blocker. Will work on a fix asap.
Comment 3 Kai Blin 2011-07-12 18:39:03 UTC
Created attachment 6684 [details]
Proposed fix for git master

Proposed patch for git master
Comment 4 Kai Blin 2011-07-12 18:39:33 UTC
Created attachment 6685 [details]
Proposed fix for 3.6

Proposed patch for 3.6
Comment 5 Kai Blin 2011-07-12 18:40:06 UTC
Created attachment 6686 [details]
Proposed fix for 3.5

Proposed fix for 3.5
Comment 6 Kai Blin 2011-07-12 18:41:04 UTC
Created attachment 6687 [details]
Proposed fix for 3.4

Proposed fix for 3.4
Comment 7 Kai Blin 2011-07-12 18:41:33 UTC
Created attachment 6688 [details]
Proposed fix for 3.3

Proposed fix for 3.3
Comment 8 Kai Blin 2011-07-12 18:42:10 UTC
Fixes for 3.2 and 3.0 still need some work.
Comment 9 Jeremy Allison 2011-07-12 18:52:49 UTC
Created attachment 6694 [details]
Proposed patch for 3.0.x

Because I feel sorry for Apple :-).

Jeremy.
Comment 10 Kai Blin 2011-07-12 21:58:09 UTC
Created attachment 6696 [details]
Proposed fix for 3.2

Proposed fix for 3.2
Comment 11 Jeremy Allison 2011-07-14 23:34:28 UTC
These fixes look good to me - however I am not a security expert - especially on web-based security. The patches will need to be also reviewed by the security Teams of the Linux distributions.

Re-assigning to Karolin so this task can proceed.

Jeremy.
Comment 12 Simo Sorce 2011-07-22 22:26:09 UTC
(In reply to comment #11)
> These fixes look good to me - however I am not a security expert - especially
> on web-based security. The patches will need to be also reviewed by the
> security Teams of the Linux distributions.
> 
> Re-assigning to Karolin so this task can proceed.
> 
> Jeremy.

Sorry to catch this late but there is a minor typo in the patch:
+			printf("%s\n", _(" The passwd for has NOT been changed."));

The 'for' in the message should be removed.
Comment 13 Karolin Seeger 2011-07-26 19:21:48 UTC
Patches have been pushed to v3-3-test, v3-4-test, v3-5-test and v3-6-test.
Samba 3.3.16, 3.4.14 and 3.5.10 include these patches, Samba 3.6.0rc3 will
also.

Re-assigning to Kai to push them to the master branch.
Comment 14 Kai Blin 2011-07-28 10:01:52 UTC
Jeremy pushed this to master already, marking as fixed.