[LWN Logo]
[Timeline]
Date:         Wed, 2 Aug 2000 17:50:35 +0900
From: root <root@DOGFOOT.HACKERSLAB.ORG>
Subject:      [ Hackerslab bug_paper ] ntop web mode vulnerabliity
To: BUGTRAQ@SECURITYFOCUS.COM

================================================================================

             [ Hackerslab bug_paper ] ntop web mode vulnerabliity

================================================================================



Command  :   /sbin/ntop -w <port>


SYSTEM :   N/A


INFO :

	   ntop - display top network users	
	

      -w   Starts ntop in web mode.  Users can attach their web browsers to
           the specified port and browse traffic information remotely.

        Supposing to start ntop at the port 3000 (ntop -w 3000), the URL to
        access is http://hostname:3000/.  The file ~/.ntop specifies the
        HTTP user/password of those people who are allowed to access
        ntop. If the ~/.ntop file is missing no security will be used hence
        everyone can access traffic information. A simple .ntop file is the
        following: 

# 
# .ntop File format 
# 
#
        user<tab>/<space>pw 
# 
# luca linux 

Please note that an HTTP server is NOT needed in order to use the program
in interactive mode.* 'bdf' program has SUID permission.

If use 'ntop' in web mode, it's web root is "/etc/ntop/html".

It's web mode is not check URL path.

So if URL is http://URL:port/../../shadow, remote user will read all file.

"everyone  can  access traffic information" !!!

If ntop use for public, anyone read all files.

==-------------------------------------------------------------------------------==
       *********
   *    **   **    *
 *      **   **      *
*       *******      *
 *      **   **      *                                       dubhe@hackerslab.org
   *    **   **    *                                    [  http://www.hackerslab.org ]
       *********           HACKERSLAB (C)  since 2000
==-------------------------------------------------------------------------------==