ntop suffers from a cross site scripting vulnerability.
35b20d152d65e04c2c54cd3dc5116e2a46f202ebdc20bb9c7b03b74554c6c04c###############################################################################
# Exploit Title : ntop, Web-based Traffic Analysis and Flow Collection tool reflected xss vulnerability
# Author : Manish Kishan Tanwar
# Vendor : httphttps://www.ntop.org
# Date : 10/06/2014
#Discovered @ : INDISHELL Lab
# Love to : zero cool,Team indishell,Hardeep Singh
#email : manish.1046@gmail.com
##############################################################################
////////////////////////
/// Overview:
////////////////////////
ntop is Web-based Traffic Analysis and Flow Collection tool which is use to monitor network traffic.
its web interface suffers from xss vulnerability.
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
title paramter in link
https://localhost:3000/plugins/rrdPlugin?action=list&key=interfaces/eth0&title=interface eth0
doesnt check for values before displaying them on web page because of which it is vulnerable to xss
//////////////////////////////
/// Proof of Concept: -
//////////////////////////////
here is the example url injected with simple xss payload
https://localhost:3000/plugins/rrdPlugin?action=list&key=interfaces/eth0&title=interface eth0</title><script>alert('vulnerable to
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,Atul Dwivedi ethicalnoob Indishell,Local root indishell,
#Irfninja indishell,Reborn India,L0rd Crus4d3r,cool toad,cool shavik,Hackuin,Alicks,Ebin V Thomas
#Dinelson Amine,Th3 D3str0yer,SKSking,Mr. Trojan,rad paul,Godzila,mike waals,zoozoo,
#The creator,cyber warrior,Neo hacker ICA,Suriya Prakash, cyber gladiator,Cyber Ace,
#Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji ,
#Hacking queen,lovetherisk,brown suger and rest of TEAM INDISHELL
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Anju Gulia,Don(Deepika kaushik) and acche bacchi(Jagriti)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed