Ntopng HTTP "Host" header field script insertion Vulnerability
Released on: 2014-09-02
Updated on: 2014-09-04
Affected Systems:
Ntopng 1.x
Description:
--------------------------------------------------------------------------------
Bugtraq id:
Ntopng is the next generation ntop tool that can sniff traffic and monitor network usage.
Ntopng 1.2.0 does not properly filter the input of the HTTP "Host" header field, which can be exploited to insert arbitrary HTML and script code and then execute the malicious code in the user's browser session.
Configure the Web-based network traffic monitoring system ntopng on Linux
Ntopng of Linux real-time network traffic monitoring tool
Network Traffic Monitoring ntopng
<* Source: Steffen Bauch
Link: http://secunia.com/advisories/60096/
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Ntopng
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.ntop.org/products/ntop/
This article permanently updates the link address: