Bugtraq mailing list archives
Re: [ Hackerslab bug_paper ] ntop web mode vulnerabliity
From: Vanja Hrustic <vanja () RELAYGROUP COM>
Date: Wed, 2 Aug 2000 23:10:42 +0700
On Wed, 2 Aug 2000, root wrote:
It's web mode is not check URL path. So if URL is "http://URL:port/../../shadow", remote user will read all file. "everyone can access traffic information" !!!
Would you mind specifying the version of ntop you have tested? The problem above has been reported to the author 2 (or even more) months ago, and it has been fixed immediately. There were few other security related issues which have been fixed as well in past few months. I have just tried version 1.3.1, and it properly returns 401 code when trying to access '..' paths. Looks like you have been testing some older version. Regards, Vanja
Current thread:
- [ Hackerslab bug_paper ] ntop web mode vulnerabliity root (Aug 02)
- Re: [ Hackerslab bug_paper ] ntop web mode vulnerabliity Vanja Hrustic (Aug 02)