Re: [ Hackerslab bug_paper ] ntop web mode vulnerabliity

[Vanja Hrustic <vanja () RELAYGROUP COM>]

On Wed, 2 Aug 2000, root wrote:

> It's web mode is not check URL path.
>
> So if URL is "http://URL:port/../../shadow";, remote user will read all file.
>
> "everyone  can  access traffic information" !!!

Would you mind specifying the version of ntop you have tested?

The problem above has been reported to the author 2 (or even more) months
ago, and it has been fixed immediately. There were few other security
related issues which have been fixed as well in past few months.

I have just tried version 1.3.1, and it properly returns 401 code when
trying to access '..' paths.

Looks like you have been testing some older version.

Regards,

Vanja