Bug#68418: FWD: [ Hackerslab bug_paper ] ntop web mode vulnerabliity

To: submit@bugs.debian.org
Cc: security@debian.org
Subject: Bug#68418: FWD: [ Hackerslab bug_paper ] ntop web mode vulnerabliity
From: Joey Hess <joeyh@debian.org>
Date: Wed, 2 Aug 2000 10:48:28 -0700
Message-id: <[🔎] 20000802104828.K11452@kitenet.net>
Mail-followup-to: Joey Hess <joeyh@debian.org>, submit@bugs.debian.org, security@debian.org
Reply-to: Joey Hess <joeyh@debian.org>, 68418@bugs.debian.org

Package: ntop
Severity: grave

I have verified this bug report -- fixing it is my utter top priority,
but I'd be very happy if someone else fixes it first.

----- Forwarded message from root <root@DOGFOOT.HACKERSLAB.ORG> -----

From: root <root@DOGFOOT.HACKERSLAB.ORG>
Date:         Wed, 2 Aug 2000 17:50:35 +0900
To: BUGTRAQ@SECURITYFOCUS.COM
Subject:      [ Hackerslab bug_paper ] ntop web mode vulnerabliity
Reply-To: root <root@DOGFOOT.HACKERSLAB.ORG>

================================================================================

             [ Hackerslab bug_paper ] ntop web mode vulnerabliity

================================================================================



Command  :   /sbin/ntop -w <port>


SYSTEM :   N/A


INFO :

	   ntop - display top network users	
	

      -w
        Starts ntop
in web  mode.  Users  can  attach  their  web
        browsers  to the specified port and browse traffic infor
        mation remotely. Supposing to start ntop
at the port 3000
        (ntop  -w  3000),  the  URL  to  access  is  http://host;
        name:3000/.  The  file   ~/.ntop   specifies   the   HTTP
        user/password  of  those people who are allowed to access
        ntop. If the ~/.ntop file is missing no security will  be
        used  hence  everyone  can  access traffic information. A
        simple .ntop file is the following: # # .ntop File format
        #  #  user<tab>/<space>pw # # luca      linux Please note
        that an HTTP server is NOT needed in  order  to  use  the
        program in interactive mode.* 'bdf' program has SUID permission.


If use 'ntop' in web mode, it's web root is "/etc/ntop/html".

It's web mode is not check URL path.

So if URL is "http://URL:port/../../shadow";, remote user will read all file.

"everyone  can  access traffic information" !!!

If ntop use for public, anyone read all files.

==-------------------------------------------------------------------------------==
       *********
   *    **   **    *
 *      **   **      *
*       *******      *
 *      **   **      *                                       dubhe@hackerslab.org
   *    **   **    *                                    [  http://www.hackerslab.org ]
       *********           HACKERSLAB (C)  since 2000
==-------------------------------------------------------------------------------==

----- End forwarded message -----

-- 
see shy jo

Reply to:

Prev by Date: uninstallable package and all.
Next by Date: Bug#68433: Buffer overflow
Previous by thread: uninstallable package and all.
Next by thread: Bug#68433: Buffer overflow
Index(es):
- Date
- Thread