Published:2011/08/26  Last Updated:2011/08/26

JVN#29529126
Samba Web Administration Tool vulnerable to cross-site request forgery

Overview

Samba Web Administration Tool (SWAT) contains a cross-site request forgery vulnerability.

Products Affected

Samba Web Administration Tool (SWAT) contained in the following Samba versions are affected:

  • Samba versions prior to 3.5.10
  • Samba versions prior to 3.4.14
  • Samba versions prior to 3.3.16
  • Samba versions 3.0.x through 3.2.15

Description

Samba Web Administration Tool (SWAT) allows for Samba configuration through a web interface. SWAT contains a cross-site request forgery vulnerability.

SWAT is disabled in a default configuration of Samba.

Impact

When a user is logged in to SWAT as root, an attacker may change configurations in Samba.

Solution

Update the software
Update to the latest version of Samba or apply the appropriate patch according to the information provided by the developer.

References

JPCERT/CC Addendum


Vulnerability Analysis by JPCERT/CC

Credit

ISHIKAWA YOSHIHIRO of LAC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2011-2522
JVN iPedia JVNDB-2011-002110