The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability alert CVE-2011-2522 CVE-2011-2694

Samba: two vulnerabilities of SWAT

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Impacted systems: Debian, Fedora, HP-UX, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity of this alert: 2/4.
Consequences of an intrusion: client access/rights.
Pirate's origin: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 27/07/2011.
Références of this alert: 8289, 8290, 8347, BID-48899, BID-48901, c03297338, CERTA-2011-AVI-416, CERTA-2011-AVI-493, CERTA-2012-AVI-232, CVE-2011-2522, CVE-2011-2694, DSA-2290-1, FEDORA-2011-10341, FEDORA-2011-10367, HPSBUX02768, MDVSA-2011:121, openSUSE-SU-2011:0998-1, RHSA-2011:1219-01, RHSA-2011:1220-01, RHSA-2011:1221-01, SSA:2011-210-03, SSRT100664, SUSE-SU-2011:0981-1, SUSE-SU-2011:0999-1, SUSE-SU-2011:1001-1, SUSE-SU-2011:1002-1, VIGILANCE-VUL-10871.

Description of the vulnerability

The Samba server can be administered via the SWAT (Samba Web Administration Tool) web interface, which is not enabled by default. Two vulnerabilities impact SWAT.

The SWAT web site does not use session tokens. When an administrator if connected to SWAT, an attacker can thus invite him to display an HTML page containing images with special urls. When images are loaded, these urls do administration operations. As SWAT does not check if these urls belong to the administrator session, administration operations are directly done. [severity:2/4; 8290, BID-48899, CERTA-2011-AVI-416, CERTA-2012-AVI-232, CVE-2011-2522]

The SWAT web site uses the SWAT_USER ("username") variable to indicate the name of the current user. The chg_passwd() function of the source/web/swat.c file changes the password of the user. However, this function directly displays the name of the user stored in the SWAT_USER variable. If a username given as parameter contains JavaScript code, the generated HTML page thus also contains this JavaScript code. [severity:2/4; 8289, BID-48901, CVE-2011-2694]

An attacker can therefore use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides network vulnerability announces. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.