vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-29 07:29:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Security Fix: users enumeration

Browse source 
A user reported us

"""
I would like to report a possible security issue in ntopng.

When connected with a regular, unprivileged user, it is possible to force-navigate to the URL: http://192.168.2.176:3000/lua/admin/validate_new_user.lua?user=<anyuser>&networks=0.0.0.0/0,::/0
Due to this, it is possible to replace <anyuser> with a list of users and enumerate the users that exist in the system.
"""

This commit fixes the issue
This commit is contained in:
Simone Mainardi 2016-08-05 17:53:34 +02:00
parent 89d6fa301a
commit 770bc4c6fc
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/lua/modules/lua_utils.lua
View file

@ -1800,7 +1800,7 @@ end
-- ##############################################
function haveAdminPrivileges()
if(isAdministrator) then
if(isAdministrator()) then
return(true)
else
ntop.dumpFile(dirs.installdir .. "/httpdocs/inc/header.inc")