| commit | a36370e6d511da8d9e77c845778cce7fa627b994 | |
| author | Kai Blin <kai@samba.org> | |
| Mon, 28 Jan 2013 20:41:07 +0000 (28 21:41 +0100) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Wed, 30 Jan 2013 10:38:53 +0000 (30 11:38 +0100) | ||
| tree | 2c3e9a550469d4057a5eedfa079b64ffae962419 | treesnapshot (tar.gz zip) |
| parent | 4eb9c2d365e9238566f1155e1db440b7c92da4bb | commitdiff |
swat: Use additional nonce on XSRF protection
If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.
Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.
(cherry picked from commit 91f4275873ebeda8f57684f09df67162ae80515a)
If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.
Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.
(cherry picked from commit 91f4275873ebeda8f57684f09df67162ae80515a)
| source3/web/cgi.c | diffblobblamehistory | |
| source3/web/swat.c | diffblobblamehistory | |
| source3/web/swat_proto.h | diffblobblamehistory |