513818 – (CVE-2014-4165) net-analyzer/ntop: cross-site scripting (XSS) flaw in rrdPlugin

Bug 513818 (CVE-2014-4165) - net-analyzer/ntop: cross-site scripting (XSS) flaw in rrdPlugin

Summary: net-analyzer/ntop: cross-site scripting (XSS) flaw in rrdPlugin

Status:	RESOLVED FIXED

Alias:	CVE-2014-4165

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [ noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2014-06-19 09:24 UTC by Agostino Sarubbo
Modified:	2018-01-06 14:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-06-19 09:24:54 UTC

From ${URL} :

A cross-site scripting flaw was found in ntop's rrdPlugin plug-in. An attacker could use this flaw 
to perform cross-site scripting attacks against users of the ntop web interface.

Original report: http://packetstormsecurity.com/files/127043/ntop-xss.txt

The issue seems to be both with content inside the <title> tags, and any trailing content 
afterwards.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-23 16:57:33 UTC

@ Maintainer(s): The latest version is still affected and nobody seems to have a patch for this. Also upstream has discontinued the software in favor of its successor ntopng which is already in tree. So if you don't find a patch please consider removal.

Comment 2 Yury German Gentoo Infrastructure

2017-08-16 01:59:05 UTC

Netmon team without active development upstream please consider removal from tree.

Comment 3 Rick Farina (Zero_Chaos) gentoo-dev

2017-09-01 19:09:49 UTC

been multiple years without anyone caring. I approve removal.  Apologies for not removing myself, but I'm a bit overwhelmed at the moment.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-09-01 20:13:45 UTC

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=615c57092a0cc9004e445edfb74c396fe3bc6bb6

Comment 5 Larry the Git Cow gentoo-dev

2018-01-06 14:42:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf5252b406cd0c436c09566105c5e05f406bd46a

commit bf5252b406cd0c436c09566105c5e05f406bd46a
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-01-06 14:41:21 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-01-06 14:42:28 +0000

    net-analyzer/ntop: remove last rited package
    
    Bug: https://bugs.gentoo.org/513818

 net-analyzer/ntop/Manifest                        |   1 -
 net-analyzer/ntop/files/ntop-5.0.1-INCS.patch     |  27 ---
 net-analyzer/ntop/files/ntop-5.0.1-gentoo.patch   | 240 ----------------------
 net-analyzer/ntop/files/ntop-5.0.1-includes.patch |  20 --
 net-analyzer/ntop/files/ntop-5.0.1-librrd.patch   |  31 ---
 net-analyzer/ntop/files/ntop-confd                |   9 -
 net-analyzer/ntop/files/ntop-initd                |  30 ---
 net-analyzer/ntop/files/ntop-initd-r1             |  24 ---
 net-analyzer/ntop/files/ntop-update-geoip-db      |  21 --
 net-analyzer/ntop/metadata.xml                    |  19 --
 net-analyzer/ntop/ntop-5.0.1-r2.ebuild            | 135 ------------
 net-analyzer/ntop/ntop-5.0.1-r3.ebuild            | 138 -------------
 12 files changed, 695 deletions(-)}

Comment 6 Mikle Kolyada (RETIRED) archtester

2018-01-06 14:44:37 UTC

no removal glsa for XSS

Comment 7 Mikle Kolyada (RETIRED) archtester

2018-01-06 14:47:19 UTC

package.mask has been also cleaned.