Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266947 - <net-analyzer/ntop-3.3.9-r2: Insecure creation of log files
Summary: <net-analyzer/ntop-3.3.9-r2: Insecure creation of log files
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.ntop.org/trac/ticket/75
Whiteboard: C3? [noglsa]
Keywords:
Depends on: 265704
Blocks:
  Show dependency tree
 
Reported: 2009-04-21 07:55 UTC by Alex Legler (RETIRED)
Modified: 2009-06-22 07:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Fix from upstream SVN (changeset_trunk_r3748.diff,385 bytes, patch)
2009-04-21 07:56 UTC, Alex Legler (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-21 07:55:05 UTC 
Secunia writes:

A weakness has been reported in ntop, which can be exploited by
malicious, local users to manipulate certain information.

The weakness is caused due to ntop creating the access log file with
world-writable permissions, which can be exploited to modify the
access log information.

Successful exploitation may require that ntop is launched with the
"--access-log-file" and "-d" options.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-21 07:56:50 UTC 
Created attachment 189024 [details, diff]
Fix from upstream SVN
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-21 08:07:54 UTC 
For reference: http://secunia.com/advisories/34793/
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2009-04-25 09:33:36 UTC 
Fixed in ntop-3.3.9-r2. 
In bug 265704 I've asked for stable keywords.
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2009-05-02 15:25:11 UTC 
ntop-3.3.9-r2 is stable now.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-04 06:56:34 UTC 
Ready for vote then, I vote YES.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 22:27:31 UTC 
I vote NO.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-22 07:50:35 UTC 
NO, too. Closing