Published:2011/08/26  Last Updated:2011/08/26

JVN#63041502
Samba Web Administration Tool vulnerable to cross-site scripting

Overview

Samba Web Administration Tool contains a cross-site scripting vulnerability.

Products Affected

Samba Web Administration Tool (SWAT) contained in the following Samba versions are affected:

  • Samba versions prior to 3.5.10
  • Samba versions prior to 3.4.14
  • Samba versions prior to 3.3.16
  • Samba versions 3.0.x through 3.2.15

Description

Samba Web Administration Tool (SWAT) allows for Samba configuration through a web interface. SWAT contains a cross-site scripting vulnerability.

SWAT is disabled in a default configuration of Samba.

Impact

An arbitrary script may be executed on the web browser of a user that is logged into SWAT.

According to the developer, this vulnerability is exploitable only if JVN#29529126 is not addressed.

Solution

Update the software
Update to the latest version of Samba or apply the appropriate patch according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

nobuhiro tsuji of NTT DATA INTELLILINK CORPORATION reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2011-2694
JVN iPedia JVNDB-2011-002111