From 0be407ad30cb9e02b47a8caaa8497ad1525a6f97 Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Thu, 7 Jul 2011 10:03:33 +0200 Subject: [PATCH] s3 swat: Fix possible XSS attack (bug #8289) Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack against SWAT, the Samba Web Administration Tool. The attack uses reflection to insert arbitrary content into the "change password" page. This patch fixes the reflection issue by not printing user-specified content on the website anymore. Signed-off-by: Kai Blin (cherry picked from commit d88744f460a2a65d4e0cfb6c944f90f09e15d3b4) --- source3/web/swat.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/source3/web/swat.c b/source3/web/swat.c index 38f647570ff..6e878980668 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -1129,11 +1129,9 @@ static void chg_passwd(void) if(cgi_variable(CHG_S_PASSWD_FLAG)) { printf("

"); if (rslt == True) { - printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER)); - printf("\n"); + printf("%s\n", _(" The passwd has been changed.")); } else { - printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER)); - printf("\n"); + printf("%s\n", _(" The passwd for has NOT been changed.")); } } @@ -1147,14 +1145,6 @@ static void passwd_page(void) { const char *new_name = cgi_user_name(); - /* - * After the first time through here be nice. If the user - * changed the User box text to another users name, remember it. - */ - if (cgi_variable(SWAT_USER)) { - new_name = cgi_variable_nonull(SWAT_USER); - } - if (!new_name) new_name = ""; printf("

%s

\n", _("Server Password Management")); -- 2.11.4.GIT