git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 11e2812)
s3 swat: Create random nonce in CGI mode
authorKai Blin <kai@samba.org>
Tue, 12 Jul 2011 06:08:24 +0000 (08:08 +0200)
committerKarolin Seeger <kseeger@samba.org>
Sun, 24 Jul 2011 18:46:46 +0000 (20:46 +0200)
In CGI mode, we don't get access to the user's password, which would
reduce the hash used so far to parameters an attacker can easily guess.
To work around this, read the nonce from secrets.tdb or generate one if
it's not there.
Also populate the C_user field so we can use that for token creation.

Signed-off-by: Kai Blin <kai@samba.org>
The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).

source/web/cgi.c patch | blob | history
source/web/swat.c patch | blob | history

diff --git a/source/web/cgi.c b/source/web/cgi.c
index ccdc3a73e4d8a13ababa04170a2b4f683bec34a7..890ac8e66a6b96cd2abbbd859597d91d21b14fd4 100644 (file)
--- a/source/web/cgi.c
+++ b/source/web/cgi.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "web/swat_proto.h"
+#include "secrets.h"
 
 #define MAX_VARIABLES 10000
 
@@ -321,7 +322,22 @@ static void cgi_web_auth(void)
                exit(0);
        }
 
-       setuid(0);
+       C_user = SMB_STRDUP(user);
+
+       if (!setuid(0)) {
+               C_pass = secrets_fetch_generic("root", "SWAT");
+               if (C_pass == NULL) {
+                       char *tmp_pass = NULL;
+                       tmp_pass = generate_random_str(16);
+                       if (tmp_pass == NULL) {
+                               printf("%sFailed to create random nonce for "
+                                      "SWAT session\n<br>%s\n", head, tail);
+                               exit(0);
+                       }
+                       secrets_store_generic("root", "SWAT", tmp_pass);
+                       C_pass = SMB_STRDUP(tmp_pass);
+               }
+       }
        setuid(pwd->pw_uid);
        if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
                printf("%sFailed to become user %s - uid=%d/%d<br>%s\n", 
diff --git a/source/web/swat.c b/source/web/swat.c
index 50df66e66c7dfe60739cbcbdf3327f18d76883cb..146f1cf7d2d73879dd8847aeebbfea2fa083dba3 100644 (file)
--- a/source/web/swat.c
+++ b/source/web/swat.c
@@ -29,7 +29,6 @@
 
 #include "includes.h"
 #include "web/swat_proto.h"
-#include "../lib/crypto/md5.h"
 
 static int demo_mode = False;
 static int passwd_only = False;
Samba Shared Repository