Clickjacking in SWAT

Description

All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other content,
an attacker could trick an administrator to potentially change Samba settings.

In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.

Workaround

Ensure SWAT is turned off and configure Samba using an alternative method
to edit the smb.conf file.

Patch Availability

Patches addressing this defect have been posted to

http://www.samba.org/samba/security/

Additionally, Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security
releases to correct the defect. Samba administrators running affected versions
are advised to upgrade to 4.0.2, 3.6.12 or 3.5.21 or apply the patch as soon as
possible.

Credits

The vulnerability was discovered and reported to the Samba Team by Jann Horn.
The patches for all Samba versions were written and tested by Kai Blin
([email protected]).

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team