Headline
CVE-2011-2694: Samba - Security Announcement Archive
Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page).
CVE-2011-2694:
=========================================================== == Subject: Cross-Site Scripting vulnerability in SWAT == == CVE ID#: CVE-2011-2694 == == Versions: Samba 3.0.x - 3.5.9 (inclusive) == == Summary: The Samba Web Administration Tool (SWAT) in Samba versions == 3.0.x to 3.5.9 are affected by a cross-site scripting == vulnerability. == == Note that SWAT must be enabled in order for this == vulnerability to be exploitable. By default, SWAT == is *not* enabled on a Samba install. == ===========================================================
=========== Description ===========
All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool (SWAT). On the “Change Password” field, it is possible to insert arbitrary content into the “user” field.
This issue is only exploitable if CVE-2011-2522 has not been fixed.
========== Workaround ==========
Ensure SWAT is turned off and use a different method to change the user’s password.
================== Patch Availability ==================
A patch addressing this defect has been posted to
http://www.samba.org/samba/security/
Additionally, Samba 3.5.10 has been issued as security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba administrators running affected versions are advised to upgrade to 3.5.10 or apply the patch as soon as possible.
======= Credits =======
The issue was discovered by Nobuhiro Tsuji, NTT DATA SECURITY CORPORATION and reported to the Samba Team by Takayuki Uchiyama of JPCERT. The patches for all Samba versions were written and tested by Kai Blin ([email protected]).
Related news
Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add printers, (6) remove printers, (7) add user accounts, or (8) remove user accounts, as demonstrated by certain start, stop, and restart parameters to the status program.