ntopng HTTP Host Request Header Lines Multiple HTML Injection Vulnerabilities

Bugtraq ID:	69385
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Aug 25 2014 12:00AM
Updated:	Aug 25 2014 12:00AM
Credit:	Steffen Bauch
Vulnerable:
Not Vulnerable:

ntopng HTTP Host Request Header Lines Multiple HTML Injection Vulnerabilities

ntopng is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

ntopng 1.2.0 is vulnerable; other versions may also be affected.

ntopng HTTP Host Request Header Lines Multiple HTML Injection Vulnerabilities

An attacker can exploit these issues using readily available tools.

ntopng HTTP Host Request Header Lines Multiple HTML Injection Vulnerabilities

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

ntopng HTTP Host Request Header Lines Multiple HTML Injection Vulnerabilities

References: