Samba Team issued a warning on September 30th on September 30th on September 30, a warning of the security vulnerability of the open source Windows exchange file server software "Samba". In the previous version of Samba 3.0.2 and 2.2.9, the non-public folder can be accessed from the outside, and the security vulnerability does not exist in the latest version of 3.0.7. The countermeasure is to upgrade to Samba 3.0.7 or 2.2.12, and SMABA also provides patches for version 5.0.5. In addition, "Wide Links = NO" settings in setting file SMB.Conf can be exempted from danger, and the default setting of the software is not "Wide Links = NO". The problem of this security vulnerability exists in the function of the Samba Processing folder name, which can specify an unapproved folder for access. Samba's original processing is: In the requested folder name and file name, it is impossible to specify ".." and "./" folder indicating the previous folder. According to the security vendor IDEFENSE for discovery, this process has a defect, which can specify any of the folders and files in the path. SMABA's latest version and patches can be downloaded from the formal website of Smaba (English).
