[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5406C3F2.3090800@steffenbauch.de>
Date: Wed, 03 Sep 2014 09:32:02 +0200
From: Steffen Bauch <mail@...ffenbauch.de>
To: fulldisclosure@...lists.org
Subject: Re: [FD] ntopng 1.2.0 XSS injection using monitored network traffic
On 25.08.2014 21:48, Steffen Bauch wrote:
> ntopng 1.2.0 XSS injection using monitored network traffic
>
> ntopng is the next generation version of the original ntop, a network
> traffic probe and monitor that shows the network usage, similar to what
> the popular top Unix command does.
>
> The web-based frontend of the software is vulnerable to injection of
> script code via forged HTTP Host: request header lines in monitored
> network traffic.
>
> HTTP Host request header lines are extracted using nDPI traffic
> classification library and used without sanitization in several places
> in the frontend, e.g. the Host overview and specific subpages for each
> monitored host.
>
> The injected code might be used to execute javascript and to perform
> management actions with the user-rights of the current ntopng user,
> which can be used to disable the monitoring function or deletion of
> accounts making the monitoring system unusable.
>
> To give a coarse idea of the vulnerability the following python script
> can be used on the monitored network, afterwards the victim needs to
> browse to the Host overview / Host details in the ntopng frontend.
>
> import httplib
>
> conn = httplib.HTTPConnection("example.com")
> headers = {"Host": "<SCRIPT>alert(\"xss\")</SCRIPT>", "Accept":
> "text/plain"}
> conn.request("GET", "/", None, headers)
> r1 = conn.getresponse()
> print(r1.status, r1.reason)
> data1 = r1.read()
>
> Other users of the nDPI code might be affected as well.
>
> Steffen Bauch
> Twitter: @steffenbauch
> http://steffenbauch.de
MITRE has assigned CVE-2014-5464 for this issue.
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists