From 4f24f1c72088867e683bcd2207807ef4da272420 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 18 Jan 2013 23:11:07 +0100
Subject: [PATCH 1/2] swat: Use X-Frame-Options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin <kai@samba.org>

Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
---
 source3/web/swat.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/source3/web/swat.c b/source3/web/swat.c
index 90e4af9..1eb191d 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -269,7 +269,8 @@ static void print_header(void)
 	if (!cgi_waspost()) {
 		printf("Expires: 0\r\n");
 	}
-	printf("Content-type: text/html\r\n\r\n");
+	printf("Content-type: text/html\r\n");
+	printf("X-Frame-Options: DENY\r\n\r\n");
 
 	if (!include_html("include/header.html")) {
 		printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
-- 
1.7.7


From 6762959a45bfc78183055162ae583733e589062f Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Sun, 20 Jan 2013 08:58:08 +0100
Subject: [PATCH 2/2] swat: Use additional nonce on XSRF protection

If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin <kai@samba.org>

Fix bug #9577 - CVE-2013-0214: Potential XSRF in SWAT.
---
 source3/web/cgi.c        |   39 +++++++++++++++++++++++++--------------
 source3/web/swat.c       |    2 ++
 source3/web/swat_proto.h |    1 +
 3 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index b97ed25..0192e7d 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -49,6 +49,7 @@ static const char *baseurl;
 static char *pathinfo;
 static char *C_user;
 static char *C_pass;
+static char *C_nonce;
 static bool inetd_server;
 static bool got_request;
 
@@ -330,20 +331,7 @@ static void cgi_web_auth(void)
 	C_user = SMB_STRDUP(user);
 
 	if (!samba_setuid(0)) {
-		C_pass = secrets_fetch_generic("root", "SWAT");
-		if (C_pass == NULL) {
-			char *tmp_pass = NULL;
-			tmp_pass = generate_random_password(talloc_tos(),
-							    16, 16);
-			if (tmp_pass == NULL) {
-				printf("%sFailed to create random nonce for "
-				       "SWAT session\n<br>%s\n", head, tail);
-				exit(0);
-			}
-			secrets_store_generic("root", "SWAT", tmp_pass);
-			C_pass = SMB_STRDUP(tmp_pass);
-			TALLOC_FREE(tmp_pass);
-		}
+		C_pass = SMB_STRDUP(cgi_nonce());
 	}
 	samba_setuid(pwd->pw_uid);
 	if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
@@ -465,6 +453,29 @@ char *cgi_user_pass(void)
 }
 
 /***************************************************************************
+return a ptr to the nonce
+  ***************************************************************************/
+char *cgi_nonce(void)
+{
+	const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
+	const char *tail = "</BODY></HTML>\r\n";
+	C_nonce = secrets_fetch_generic("root", "SWAT");
+	if (C_nonce == NULL) {
+		char *tmp_pass = NULL;
+		tmp_pass = generate_random_password(talloc_tos(), 16, 16);
+		if (tmp_pass == NULL) {
+			printf("%sFailed to create random nonce for "
+			       "SWAT session\n<br>%s\n", head, tail);
+			exit(0);
+		}
+		secrets_store_generic("root", "SWAT", tmp_pass);
+		C_nonce = SMB_STRDUP(tmp_pass);
+		TALLOC_FREE(tmp_pass);
+	}
+	return(C_nonce);
+}
+
+/***************************************************************************
 handle a file download
   ***************************************************************************/
 static void cgi_download(char *file)
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 1eb191d..cc90f21 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -156,6 +156,7 @@ void get_xsrf_token(const char *username, const char *pass,
 	struct MD5Context md5_ctx;
 	uint8_t token[16];
 	int i;
+	char *nonce = cgi_nonce();
 
 	token_str[0] = '\0';
 	ZERO_STRUCT(md5_ctx);
@@ -169,6 +170,7 @@ void get_xsrf_token(const char *username, const char *pass,
 	if (pass != NULL) {
 		MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
 	}
+	MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
 
 	MD5Final(token, &md5_ctx);
 
diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
index 424a3af..fe51b1f 100644
--- a/source3/web/swat_proto.h
+++ b/source3/web/swat_proto.h
@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name);
 bool am_root(void);
 char *cgi_user_name(void);
 char *cgi_user_pass(void);
+char *cgi_nonce(void);
 void cgi_setup(const char *rootdir, int auth_required);
 const char *cgi_baseurl(void);
 const char *cgi_pathinfo(void);
-- 
1.7.7