From: Kai Blin <kai@samba.org>
Date: Tue, 12 Jul 2011 06:08:24 +0000 (+0200)
Subject: s3 swat: Create random nonce in CGI mode
X-Git-Tag: samba-3.4.14~1
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=a4922192d9b95e79bb31c54ca820a9b876a1bbe9

s3 swat: Create random nonce in CGI mode

In CGI mode, we don't get access to the user's password, which would
reduce the hash used so far to parameters an attacker can easily guess.
To work around this, read the nonce from secrets.tdb or generate one if
it's not there.
Also populate the C_user field so we can use that for token creation.

Signed-off-by: Kai Blin <kai@samba.org>

The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
---

diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 8eef0b3b501..db374e2d3f5 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -19,6 +19,8 @@
 
 #include "includes.h"
 #include "web/swat_proto.h"
+#include "secrets.h"
+#include "../lib/util/util.h"
 
 #define MAX_VARIABLES 10000
 
@@ -321,7 +323,23 @@ static void cgi_web_auth(void)
 		exit(0);
 	}
 
-	setuid(0);
+	C_user = SMB_STRDUP(user);
+
+	if (!setuid(0)) {
+		C_pass = secrets_fetch_generic("root", "SWAT");
+		if (C_pass == NULL) {
+			char *tmp_pass = NULL;
+			tmp_pass = generate_random_str(talloc_tos(), 16);
+			if (tmp_pass == NULL) {
+				printf("%sFailed to create random nonce for "
+				       "SWAT session\n<br>%s\n", head, tail);
+				exit(0);
+			}
+			secrets_store_generic("root", "SWAT", tmp_pass);
+			C_pass = SMB_STRDUP(tmp_pass);
+			TALLOC_FREE(tmp_pass);
+		}
+	}
 	setuid(pwd->pw_uid);
 	if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
 		printf("%sFailed to become user %s - uid=%d/%d<br>%s\n",