This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.
The remote Samba server is affected by multiple vulnerabilities.
According to its banner, the version of Samba 3.x running on the
remote host is earlier than 3.3.16 / 3.4.14 / 3.5.10. As such, it is
potentially affected by several vulnerabilities in the Samba Web
Administration Tool (SWAT) :
- A cross-site scripting vulnerability exists because of a
failure to sanitize input to the username parameter of
the 'passwd' program. (Issue #8289)
- A cross-site request forgery (CSRF) vulnerability can
allow SWAT to be manipulated when a user who is logged
in as root is tricked into clicking specially crafted
URLs sent by an attacker. (Issue #8290)
Note that these issues are only exploitable when SWAT it enabled, and
it is not enabled by default.
Also note that Nessus has relied only on the self-reported version
number and has not actually determined whether SWAT is enabled, tried
to exploit these issues, or determine if the associated patches have
See also :
Either apply one of the patches referenced in the project's advisory
or upgrade to 3.3.16 / 3.4.14 / 3.5.10 or later.
Risk factor :
Medium / CVSS Base Score : 6.8
CVSS Temporal Score : 5.6
Public Exploit Available : true