s3 swat: Fix possible XSS attack (bug #8289)

Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
against SWAT, the Samba Web Administration Tool. The attack uses reflection to
insert arbitrary content into the "change password" page.

This patch fixes the reflection issue by not printing user-specified content on
the website anymore.

Signed-off-by: Kai Blin <kai@samba.org>
CVE-2011-2694.

diff --git a/source3/web/swat.c b/source3/web/swat.c
index baffa44bae1b145272e30a1af8adeb824b2705b5..f6bc6154cc7c7cff4899175c96862b248a5fa3a5 100644 (file)
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -1121,11 +1121,9 @@ static void chg_passwd(void)
        if(cgi_variable(CHG_S_PASSWD_FLAG)) {
                printf("<p>");
                if (rslt == True) {
-                       printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER));
-                       printf("\n");
+                       printf("%s\n", _(" The passwd has been changed."));
                } else {
-                       printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER));
-                       printf("\n");
+                       printf("%s\n", _(" The passwd for has NOT been changed."));
                }
        }
        
@@ -1139,14 +1137,6 @@ static void passwd_page(void)
 {
        const char *new_name = cgi_user_name();
 
-       /* 
-        * After the first time through here be nice. If the user
-        * changed the User box text to another users name, remember it.
-        */
-       if (cgi_variable(SWAT_USER)) {
-               new_name = cgi_variable_nonull(SWAT_USER);
-       } 
-
        if (!new_name) new_name = "";
 
        printf("<H2>%s</H2>\n", _("Server Password Management"));