=========================================================== == Subject: Cross-Site Request Forgery in SWAT == == CVE ID#: CVE-2011-2522 == == Versions: Samba 3.0.x - 3.5.9 (inclusive) == == Summary: The Samba Web Administration Tool (SWAT) in Samba versions == 3.0.x to 3.5.9 are affected by a cross-site request forgery. == == Note that SWAT must be enabled in order for this == vulnerability to be exploitable. By default, SWAT == is *not* enabled on a Samba install. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. In order to be vulnerable, SWAT must have been installed and enabled either as a standalone server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has not been installed or enabled (which is the default install state for Samba) this advisory can be ignored. If the user authenticated to SWAT as root, it is possible to shut down or start the samba daemons, add or remove shares, printers and user accounts and to change other aspects of the Samba configuration. ========== Workaround ========== Ensure SWAT is turned off and configure Samba using an alternative method to edit the smb.conf file. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.5.10 has been issued as security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba administrators running affected versions are advised to upgrade to 3.5.10 or apply the patch as soon as possible. ======= Credits ======= The vulnerability was discovered by Yoshihiro Ishikawa (LAC Co., Ltd.) and reported to the Samba Team by Takayuki Uchiyama of JPCERT. The patches for all Samba versions were written and tested by Kai Blin (kai@samba.org).