From: Kai Blin <kai@samba.org>
Date: Fri, 18 Jan 2013 22:11:07 +0000 (+0100)
Subject: swat: Use X-Frame-Options header to avoid clickjacking
X-Git-Tag: samba-3.5.21~1
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=e9cd10049e0b5c1e24e454cc3277eb4bea033dfb

swat: Use X-Frame-Options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin <kai@samba.org>

Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
---

diff --git a/source3/web/swat.c b/source3/web/swat.c
index 754e3cee732..d2bbee40c34 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -260,7 +260,8 @@ static void print_header(void)
 	if (!cgi_waspost()) {
 		printf("Expires: 0\r\n");
 	}
-	printf("Content-type: text/html\r\n\r\n");
+	printf("Content-type: text/html\r\n");
+	printf("X-Frame-Options: DENY\r\n\r\n");
 
 	if (!include_html("include/header.html")) {
 		printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");