ntop seem to be a very badly written program, lots of buffers are allocated of random lengths and then used as return buffers for other functions (where the numbers are duplicated, made smaller, but never gotten via a constant declared somewhere else). I've just taken a quick look at http.c (to fix the nonworking admin URLs)... There is a couple of buffer overflows in http.c: handleHTTPrequest calls readHTTPheader with a stack allocated 64 character long buffer called pw. readHTTPheader reads up to 255 bytes from the network and if the first 21 characters are "Authorization: Basic ", the rest of the line is copied to pw. Any characters except NUL, CR and LF are allowed, so most shellcodes would work. If this is exploitable or not, I don't know (it depends on the compiler used to compile it and how it lays out the stack). doAddUser in admin.c is called with a value that is the number of bytes a POST request is made of. It is gotten from a atoi() call in readHTTPheader (in http.c) with no checks for its length. In doAddUser a network socket read is made for that number of characters and they are stored in a stackallocated 256 character long buffer. doAddURL is almost a copy of doAddUser and can be used in the same way. Both functions seem exploitable to me.
We (Red Hat) should really try to resolve this before next release.
It's fixed in ntop-1.3.2-4. You will find it in the next rawhide release.