(Resend - apparently this didn't get through the 1st time) The current version of ntop (2.0.99) - 12April2002 snapshot - does not crash. Tested under 4.79 and 6.2.2. Also IE 5.5. The patch in traceEvent to fix the previously reported security problem (references below) also fixes this problem. That version has been available in ntop snapshots since 01Mar2002. Snapshots and news are available at the ntop community support pages, http://snapshot.ntop.org/. ntop 2.1 (a new stable release) is being prepared for release. -----Burton Bugtraq references Original traceEvent posting: http://online.securityfocus.com/archive/1/259642 Reply: http://online.securityfocus.com/archive/1/259723 Second traceEvent posting: http://online.securityfocus.com/archive/1/267053 Reply: http://online.securityfocus.com/archive/1/267180 ============================== What appears to be the difference between NS4.79/IE5.5 and NS6.2.2 is that Netscape 6.2.2 converts the url from http://192.168.xx.yy:pppp/`ls` to http://192.168.xx.yy:pppp/%60ls%60 ntop 2.0.99 (12Apr2002 snapshot) returns "Unable to generate the page requested [%60]" Netscape 4.79 reports "The document contains no data. Try again later or contact the server's administrator." IE 5.50 gives a standard internally generated error page. Note that under both RFC 1945 - http 1.0 (http://www.w3.org/Protocols/rfc1945/rfc1945) and RFC 2068 - http 1.1 (http://www.w3.org/Protocols/rfc2068/rfc2068), the character ` appears to be legal - it falls into the "national" category. The results from IE 5.5 and NS 4.79 for ntop 2.0 are the same as above. With the conversion from ` -> %60, NS 6.2.2 does in fact crash ntop 2.0 -- IF the -L (use syslog) flag is not specified... Wait please: ntop is coming up... 17/Apr/2002 18:18:59 Initializing IP services... 17/Apr/2002 18:18:59 Initializing SSL... 17/Apr/2002 18:18:59 SSL initialized successfully 17/Apr/2002 18:18:59 Initializing GDBM... 17/Apr/2002 18:18:59 Initializing network devices... 17/Apr/2002 18:18:59 ntop v.2.0.0 MT (SSL) [i686-pc-linux-gnu] (02/28/02 06:47:29 AM build) 17/Apr/2002 18:18:59 Listening on [eth0,eth1] 17/Apr/2002 18:18:59 Copyright 1998-2001 by Luca Deri <deriat_private> 17/Apr/2002 18:18:59 Get the freshest ntop from http://www.ntop.org/ 17/Apr/2002 18:18:59 Initializing... ... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 8201 (LWP 18072)] __wcslen (s=0x3ff) at wcslen.c:30 30 wcslen.c: No such file or directory. in wcslen.c (gdb) info stack #0 __wcslen (s=0x3ff) at wcslen.c:30 #1 0x4051a344 in __wcsrtombs (dst=0x0, src=0x44630ca8, len=0, ps=0x44630cac) at wcsrtombs.c:67 #2 0x404e3957 in _IO_vfprintf (s=0x405c06e0, format=0x4463124c " 12. Requested URL = '/%60ls%60', length = -1\n", ap=0x44631204) at vfprintf.c:1524 #3 0x404ebe0c in printf (format=0x4463124c " 12. Requested URL = '/%60ls%60', length = -1\n") at printf.c:33 #4 0x40210466 in traceEvent (eventTraceLevel=3, file=0x4005838b "http.c", line=1809, format=0x400580c0 "%7d. Requested URL = '%s', length = %d\n") at util.c:2173 #5 0x40036c99 in handleHTTPrequest (from={s_addr = 53127360}) at http.c:1809 #6 0x400530d1 in handleSingleWebConnection (fdmask=0x44631a0c) at webInterface.c:1155 #7 0x40052fa7 in handleWebConnections (notUsed=0x0) at webInterface.c:1086 #8 0x40450c6f in pthread_start_thread (arg=0x44631be0) at manager.c:284 #9 0x40450d5f in pthread_start_thread_event (arg=0x44631be0) at manager.c:308 (gdb) With -L in the parameters, the error is properly caught and reported (albeit incompletely) in the log: Apr 17 18:49:49 tigger ntop[18115]: 10. Requested URL = '/`ls`', length = -1 Apr 17 18:50:06 tigger ntop[18115]: 11. Requested URL = '/ Apr 17 18:50:06 tigger ntop[18115]: Found % : @ \r or \n in URL ( Apr 17 18:50:06 tigger ntop[18115]: 12. Requested URL = '/style.css', length = -1 -----Original Message----- From: JP [mailto:pxat_private] Sent: Wednesday, April 17, 2002 12:13 PM To: bugtraqat_private Subject: segfault in ntop I'm sorry if this has already been discussed on here before, but I went through the thread and saw nothing on it. I was able to remotley segfault ntop v.2.0.0 using Netscape 6.1 by simply specifying a command in the url location bar. For example: http://ntop.site.com:port/`ls` That above command will cause ntop to segfault and core dump. I tried a few different commands, ls and su segfaulted ntop, whereas everything else I tried gave a 403 error, but ntop stayed online. Here's information about my ntop platform: Mandrake Linux v8.1 kernel 2.4.8-26mdk ntop v.2.0.0 MT [i686-pc-linux-gnu] (01/24/02 03:04:18 PM build) I was able to segfault ntop from the following platforms: Mandrake Linux v8.1 kernel 2.4.8-26mdk with Netscape v6.1 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1) Mandrake Linux v8.1 kernel 2.4.8-26mdk with Opera 5.0 for Linux - 20010510 Build 024 -[5] Windows 2000 Server 5.00.2195 SP2 with Netscape v6.2.2 (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2) I was unable to duplicate this segfault with the following browsers: Internet Explorer v6.0.2600.0000 Konqueror v2.2.1 I did not test any other platforms or browsers than the ones listed here. I have notified ntop and haven't received a response yet. Thanks, jason
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 13:19:01 PDT