Cross-Site Request Forgery in SWAT

Description

All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By tricking
a user who is authenticated with SWAT into clicking a manipulated URL on
a different web page, it is possible to manipulate SWAT.

In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.

If the user authenticated to SWAT as root, it is possible to shut down or
start the samba daemons, add or remove shares, printers and user accounts
and to change other aspects of the Samba configuration.

Workaround

Ensure SWAT is turned off and configure Samba using an alternative method
to edit the smb.conf file.

Patch Availability

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.5.10 has been issued as security release to correct the
defect. Patches against older Samba versions are available at
http://samba.org/samba/patches/. Samba administrators running affected
versions are advised to upgrade to 3.5.10 or apply the patch as soon
as possible.

Credits

The vulnerability was discovered by Yoshihiro Ishikawa (LAC Co., Ltd.) and
reported to the Samba Team by Takayuki Uchiyama of JPCERT. The patches for all
Samba versions were written and tested by Kai Blin ([email protected]).