xss and other bugs ...

Bug #777801 reported by David
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntop
Unknown
Unknown
ntop (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: ntop

the ntop package despite being really buggy - also is vulnerable to xss and probably many other kinds of web security bugs.
I am reporting two xss bugs below.

http://XXXXXXX:3000/editPrefs.html?key=hostname.10.0.&val=%22/%3E%3Cbody%20onload=alert%281%29%3Ealert%281%29%3B%3C%2Fscript%3E&x=0&y=0

http://XXXX:3000/editPrefs.html?key=hostname.ff02%3A%3A1&val=%22/%3E%3Cbody%20onload=alert%281%29%3E

recommendation -
1. don't use get to set stuff you use post for that... :/
2. use csrf tokens.

Changed in ntop (Ubuntu):
assignee: nobody → Kees Cook (kees)
Revision history for this message
David (d--) wrote :

It isn't likely that an extended period of "being private" would server anyone's benefit so I have make this public.
I have made attempts to contact the developer - but none have received any kind of response.

visibility: private → public
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. Once upstream has provided a fix, if you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'.

Changed in ntop (Ubuntu):
assignee: Kees Cook (kees) → nobody
status: New → Confirmed
Changed in ntop (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntop - 3:4.1.0+dfsg1-1

---------------
ntop (3:4.1.0+dfsg1-1) unstable; urgency=low

  * New upstream version (Closes: #520266, LP: #365145, LP: #777801).
  * Add kfreebsd-ftbfs.patch by Christoph Egger to fix FTBS under kFreeBSD
    (Closes: #636389).
  * Update Brazilian debconf messages translation by Eder L. Marques
    (Closes: #629113).
  * Update po files.

ntop (3:4.0.3+dfsg1-4) unstable; urgency=low

  * Avoid adduser warnings during postinst (Closes: #338648).
  * Update Finnish debconf template transation by Esko Arajärvi
    (Closes: #614652).
  * Update Slovak debconf template translation by Slavko (Closes: #622109).
  * /etc/default/init: do dot reference debconf settings and add description
    for user editable variables (Closes: #498308).
  * Redirect output messages to syslog (Closes: #391366).
  * Create empty access.log in postinst (Closes: #602890).
  * Use lsb helper functions for output in init script. Let start-stop-daemon
    handle detection of running daemon.
  * Depend on libjpeg-dev instead of libjpeg62-dev (Closes: #635485).
  * Update Standards-Version to 3.9.2.
 -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 17 Oct 2011 13:42:33 +0000

Changed in ntop (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.