A NULL pointer dereference flaw was found in the way Ntop used to process
Authorization HTTP header content by HTTP Basic Authentication. Remote
attacker could issue a specially-crafted HTTP authentication request,
leading to a denial of service (ntop deamon crash).
MITRE's CVE-2009-2732 record:
The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via an Authorization HTTP header that
lacks a : (colon) character in the base64-decoded string.
Hello Rakesh, Peter,
any progress while scheduling Fedora 10, 11 updates addressing this
Jan iankko Lieskovsky / Red Hat Security Response Team
I am not able to reproduce it on F10 nor F11 system with ntop-3.3.8-3.fc10.i386 and ntop-3.3.9-5.fc11.x86_64 resp. :(
Will check with few other test boxes around.
Unfortunately I was not able to reproduce the issue on any of my boxes. Still I have patched it up without testing.
rawhide RPM x86_64: http://rakesh.fedorapeople.org/misc/ntop-3.3.10-3.fc12.x86_64.rpm
F11 build : http://koji.fedoraproject.org/koji/taskinfo?taskID=1674621
It would be great if you can check whether this fix works ?
ntop-3.3.10-2.fc11 has been submitted as an update for Fedora 11.
Note: EL-5 version is not affected