|
COMMAND ntop SYSTEMS AFFECTED ntop prior to 1.3.1 PROBLEM Following is based on [ Hackerslab bug_paper ]. ntop displays top network users. With -w switch it starts ntop in web mode. Users can attach their web browsers to the specified port and browse traffic information remotely. Supposing to start ntop at the port 3000 (ntop -w 3000), the URL to access is http://hostname:3000/ The file ~/.ntop specifies the HTTP user/password of those people who are allowed to access ntop. If the ~/.ntop file is missing no security will be used hence everyone can access traffic information. A simple .ntop file is the following: # # .ntop File format # # user<tab>/<space>pw # # luca linux Please note that an HTTP server is NOT needed in order to use the program in interactive mode.* 'bdf' program has SUID permission. If use 'ntop' in web mode, it's web root is "/etc/ntop/html". It's web mode that does not check URL path. So if URL is http://URL:port/../../shadow remote user will read all file. SOLUTION The problem above has been reported to the author and it has been fixed immediately. There were few other security related issues which have been fixed as well. With ersion 1.3.1 it properly returns 401 code when trying to access '..' paths. The "ntop" package is not a part of Debian 2.1. No fix is necessary. As for Debian 2.2 alias potato, this version of Debian is not yet released. Fixes are currently available for Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and the Sun Sparc architecture: http://security.debian.org/dists/potato/updates/main/source/ntop_1.2a7-10.diff.gz http://security.debian.org/dists/potato/updates/main/source/ntop_1.2a7-10.dsc http://security.debian.org/dists/potato/updates/main/source/ntop_1.2a7.orig.tar.gz http://security.debian.org/dists/potato/updates/main/binary-alpha/ntop_1.2a7-10_alpha.deb http://security.debian.org/dists/potato/updates/main/binary-arm/ntop_1.2a7-10_arm.deb http://security.debian.org/dists/potato/updates/main/binary-i386/ntop_1.2a7-10_i386.deb http://security.debian.org/dists/potato/updates/main/binary-m68k/ntop_1.2a7-10_m68k.deb http://security.debian.org/dists/potato/updates/main/binary-powerpc/ntop_1.2a7-10_powerpc.deb http://security.debian.org/dists/potato/updates/main/binary-sparc/ntop_1.2a7-10_sparc.deb Debian Unstable alias woody is not yet released and reflects the current development release. Fixes are the same as for potato. For RedHat: ftp://updates.redhat.com/powertools/6.2/sparc/ntop-1.3.1-1.sparc.rpm ftp://updates.redhat.com/powertools/6.2/i386/ntop-1.3.1-1.i386.rpm ftp://updates.redhat.com/powertools/6.2/SRPMS/ntop-1.3.1-1.src.rpm