JVN#29529126
Samba Web Administration Tool vulnerable to cross-site request forgery
Overview
Samba Web Administration Tool (SWAT) contains a cross-site request forgery vulnerability.
Products Affected
Samba Web Administration Tool (SWAT) contained in the following Samba versions are affected:
- Samba versions prior to 3.5.10
- Samba versions prior to 3.4.14
- Samba versions prior to 3.3.16
- Samba versions 3.0.x through 3.2.15
Description
Samba Web Administration Tool (SWAT) allows for Samba configuration through a web interface. SWAT contains a cross-site request forgery vulnerability.
SWAT is disabled in a default configuration of Samba.
Impact
When a user is logged in to SWAT as root, an attacker may change configurations in Samba.
Solution
Update the software
Update to the latest version of Samba or apply the appropriate patch according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Samba | Cross-Site Request Forgery in SWAT |
| Samba Security Releases | |
| Samba3 Release Planning |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
ISHIKAWA YOSHIHIRO of LAC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2011-2522 |
| JVN iPedia |
JVNDB-2011-002110 |