Samba contains a flaw that allows a remote attacker to gain access to files outside of the share path under the privileges of the user. With a specifically crafted request, an attacker could potentially access files outside the share's root. The issue is due to the unix_convert() and check_name() functions not properly sanitizing user input supplied via the GET, PUT and DIR commands. Samba treats the resulting input as an absolute path rather than relative path to the share.

Upgrade to version 2.2.12 or higher, as it has been reported to fix this vulnerability. For the 3.x series, Samba Project has released a patch to address this vulnerability. As a workaround, set "wide links = no" in smb.conf.

• Security Tracker: 1011469
• Bugtraq ID: 11281
• Secunia Advisory ID: 12696 12707 12718 12726 12735 12748 12829
• ISS X-Force ID: 17556
• CVE ID: 2004-0815 (see also: NVD)
• SCIP VulDB ID: 858
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0443.html
  http://archives.neohapsis.com/archives/bugtraq/2004-10/0038.html
• Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000873
  http://rhn.redhat.com/errata/RHSA-2004-498.html
  http://www.debian.org/security/2004/dsa-600
  http://www.idefense.com/application/poi/display?id=146&type=vulnerabilities&flashstatus=true
  http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:104
  http://www.suse.de/de/security/2004_35_samba.html
  http://www.trustix.net/errata/2004/0051/
• Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01048150
  http://us3.samba.org/samba/news/#security_2.2.12

• Karol Wiesek - iDefense Labs VCP