Ntop 4.0.3 Cross Site Scripting

2012.08.03
Credit: Marcos Garcia
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Title: Ntop v.4.0.3 (64 bit) - Cross Site Scripting Type: Remote Impact: Cross-Site Scripting Release Date: 02.08.2012 Release mode: Coordinated release Summary ======= ntop is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts as a web server, creating a HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, a HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics. Description =========== A reflected Cross Site Scripting vulnerability was found in Ntop, because the application fails to sanitize user-supplied input. The vulnerability can be triggered by any user. Vendor ====== Ntop - http://www.ntop.org/ Affected Version ================ v.4.0.3 (64 bit) PoC === GET /plugins/rrdPlugin?action=arbreq&which=graph&arbfile=TEST">[XSS]&arbiface=eth0&start=1343344529&end=1343348129&counter=&title=Active+End+Nodes&mode=zoom HTTP/1.1 Credits ======= Vulnerability discovered by Marcos Garcia (@artsweb) Solution ======== Upgrade to Ntop v5.0 ( http://sourceforge.net/projects/ntop/files/ntop/Stable/)

References:

http://www.ntop.org/
http://sourceforge.net/projects/ntop/files/ntop/Stable/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top