swat: Use additional nonce on XSRF protection samba-3.6.12
authorKai Blin <kai@samba.org>
Mon, 28 Jan 2013 20:41:07 +0000 (21:41 +0100)
committerKarolin Seeger <kseeger@samba.org>
Tue, 29 Jan 2013 08:49:31 +0000 (09:49 +0100)
If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.

source3/web/cgi.c
source3/web/swat.c
source3/web/swat_proto.h

index ef1b856..861bc84 100644 (file)
@@ -48,6 +48,7 @@ static const char *baseurl;
 static char *pathinfo;
 static char *C_user;
 static char *C_pass;
+static char *C_nonce;
 static bool inetd_server;
 static bool got_request;
 
@@ -329,20 +330,7 @@ static void cgi_web_auth(void)
        C_user = SMB_STRDUP(user);
 
        if (!setuid(0)) {
-               C_pass = secrets_fetch_generic("root", "SWAT");
-               if (C_pass == NULL) {
-                       char *tmp_pass = NULL;
-                       tmp_pass = generate_random_password(talloc_tos(),
-                                                           16, 16);
-                       if (tmp_pass == NULL) {
-                               printf("%sFailed to create random nonce for "
-                                      "SWAT session\n<br>%s\n", head, tail);
-                               exit(0);
-                       }
-                       secrets_store_generic("root", "SWAT", tmp_pass);
-                       C_pass = SMB_STRDUP(tmp_pass);
-                       TALLOC_FREE(tmp_pass);
-               }
+               C_pass = SMB_STRDUP(cgi_nonce());
        }
        setuid(pwd->pw_uid);
        if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
@@ -459,6 +447,30 @@ char *cgi_user_pass(void)
 }
 
 /***************************************************************************
+return a ptr to the nonce
+  ***************************************************************************/
+char *cgi_nonce(void)
+{
+       const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
+       const char *tail = "</BODY></HTML>\r\n";
+       C_nonce = secrets_fetch_generic("root", "SWAT");
+       if (C_nonce == NULL) {
+               char *tmp_pass = NULL;
+               tmp_pass = generate_random_password(talloc_tos(),
+                                                   16, 16);
+               if (tmp_pass == NULL) {
+                       printf("%sFailed to create random nonce for "
+                              "SWAT session\n<br>%s\n", head, tail);
+                       exit(0);
+               }
+               secrets_store_generic("root", "SWAT", tmp_pass);
+               C_nonce = SMB_STRDUP(tmp_pass);
+               TALLOC_FREE(tmp_pass);
+       }
+        return(C_nonce);
+}
+
+/***************************************************************************
 handle a file download
   ***************************************************************************/
 static void cgi_download(char *file)
index ed80c38..f8933d2 100644 (file)
@@ -154,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass,
        MD5_CTX md5_ctx;
        uint8_t token[16];
        int i;
+       char *nonce = cgi_nonce();
 
        token_str[0] = '\0';
        ZERO_STRUCT(md5_ctx);
@@ -167,6 +168,7 @@ void get_xsrf_token(const char *username, const char *pass,
        if (pass != NULL) {
                MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
        }
+       MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
 
        MD5Final(token, &md5_ctx);
 
index 424a3af..fe51b1f 100644 (file)
@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name);
 bool am_root(void);
 char *cgi_user_name(void);
 char *cgi_user_pass(void);
+char *cgi_nonce(void);
 void cgi_setup(const char *rootdir, int auth_required);
 const char *cgi_baseurl(void);
 const char *cgi_pathinfo(void);