www.samba.org/samba/ftp/patches/security/samba-3.5.20-CVE-2013-0213-CVE-2013-0214.patch diff -Naurp samba-3.5.10/source3/web/cgi.c samba-3.5.10.oden/source3/web/cgi.c --- samba-3.5.10/source3/web/cgi.c 2011-07-24 20:04:44.000000000 +0000 +++ samba-3.5.10.oden/source3/web/cgi.c 2013-02-11 09:07:46.000000000 +0000 @@ -45,6 +45,7 @@ static const char *baseurl; static char *pathinfo; static char *C_user; static char *C_pass; +static char *C_nonce; static bool inetd_server; static bool got_request; @@ -326,19 +327,7 @@ static void cgi_web_auth(void) C_user = SMB_STRDUP(user); if (!setuid(0)) { - C_pass = secrets_fetch_generic("root", "SWAT"); - if (C_pass == NULL) { - char *tmp_pass = NULL; - tmp_pass = generate_random_str(talloc_tos(), 16); - if (tmp_pass == NULL) { - printf("%sFailed to create random nonce for " - "SWAT session\n<br>%s\n", head, tail); - exit(0); - } - secrets_store_generic("root", "SWAT", tmp_pass); - C_pass = SMB_STRDUP(tmp_pass); - TALLOC_FREE(tmp_pass); - } + C_pass = SMB_STRDUP(cgi_nonce()); } setuid(pwd->pw_uid); if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) { @@ -451,6 +440,30 @@ char *cgi_user_pass(void) } /*************************************************************************** +return a ptr to the nonce + ***************************************************************************/ +char *cgi_nonce(void) +{ + const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n"; + const char *tail = "</BODY></HTML>\r\n"; + C_nonce = secrets_fetch_generic("root", "SWAT"); + if (C_nonce == NULL) { + char *tmp_pass = NULL; + tmp_pass = generate_random_str(talloc_tos(), 16); + if (tmp_pass == NULL) { + printf("%sFailed to create random nonce for " + "SWAT session\n<br>%s\n", head, tail); + exit(0); + } + secrets_store_generic("root", "SWAT", tmp_pass); + C_nonce = SMB_STRDUP(tmp_pass); + TALLOC_FREE(tmp_pass); + } + return(C_nonce); +} + + +/*************************************************************************** handle a file download ***************************************************************************/ static void cgi_download(char *file) diff -Naurp samba-3.5.10/source3/web/swat.c samba-3.5.10.oden/source3/web/swat.c --- samba-3.5.10/source3/web/swat.c 2011-07-24 20:04:44.000000000 +0000 +++ samba-3.5.10.oden/source3/web/swat.c 2013-02-11 09:07:46.000000000 +0000 @@ -148,6 +148,7 @@ void get_xsrf_token(const char *username struct MD5Context md5_ctx; uint8_t token[16]; int i; + char *nonce = cgi_nonce(); token_str[0] = '\0'; ZERO_STRUCT(md5_ctx); @@ -161,6 +162,7 @@ void get_xsrf_token(const char *username if (pass != NULL) { MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass)); } + MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce)); MD5Final(token, &md5_ctx); @@ -247,7 +249,8 @@ static void print_header(void) if (!cgi_waspost()) { printf("Expires: 0\r\n"); } - printf("Content-type: text/html\r\n\r\n"); + printf("Content-type: text/html\r\n"); + printf("X-Frame-Options: DENY\r\n\r\n"); if (!include_html("include/header.html")) { printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n"); diff -Naurp samba-3.5.10/source3/web/swat_proto.h samba-3.5.10.oden/source3/web/swat_proto.h --- samba-3.5.10/source3/web/swat_proto.h 2011-07-24 20:04:44.000000000 +0000 +++ samba-3.5.10.oden/source3/web/swat_proto.h 2013-02-11 09:07:46.000000000 +0000 @@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const ch bool am_root(void); char *cgi_user_name(void); char *cgi_user_pass(void); +char *cgi_nonce(void); void cgi_setup(const char *rootdir, int auth_required); const char *cgi_baseurl(void); const char *cgi_pathinfo(void);