A user reported us
"""
I would like to report a possible security issue in ntopng.
When connected with a regular, unprivileged user, it is possible to force-navigate to the URL: http://192.168.2.176:3000/lua/admin/validate_new_user.lua?user=<anyuser>&networks=0.0.0.0/0,::/0
Due to this, it is possible to replace <anyuser> with a list of users and enumerate the users that exist in the system.
"""
This commit fixes the issue
This commit is a companion of professional version commit
commit 2b6e5358a71179a728edc0a8e591ffb883d626ab
Date: Mon Aug 1 22:07:37 2016 +0200
Refactors stateful host alerts to provide an API
Interfaces were handled globally before this commit. Now
alerts can be configured per-interface. So for example alerts
for the same host 193.168.2.1 can be handled differently on multiple interfaces.
Old alerts configured should be automatically migrated thanks to script startup.lua
This commits also paves the way to introduce stateful alerts in the professional version
This change is propaedeutic to Professional commit:
commit 1e1d453a1e96cc4394a0b94a7efe0b5857b1b1eb
Author: Simone Mainardi <simonemainardi@gmail.com>
Date: Mon Jul 18 20:04:53 2016 +0200
Improves the usability of historical charts
An excerpt of the json returned is:
{"srv.ip":"a.b.c.d","cli.port":50559,"srv.port":443,
"cli2srv.tcp_flags":{"SYN":1,"RST":0,"PSH":1,"FIN":0,"URG":0,"ACK":1},"cli2srv.throughput_bps":0,"bytes":2869,"srv2cli.throughput_bps":0,"cli2srv.throughput_pps":0,
"srv2cli.tcp_flags":{"SYN":1,"RST":0,"PSH":1,"FIN":0,"URG":0,"ACK":1},"tcp_established":true,"srv2cli.throughput_pps":0,"cli.ip":"192.168.2.130","proto.ndpi_id":126,"proto.ndpi":"SSL.Google"},
Clicking on flow details (e.g., protocol or src or dst)
automatically redirects the user to the db explorer page
and preserves selection details (pro version).
Database updates are now performed asynchronously.
The web server starts but notifies the user with a
'please wait' message until the updates are completed.
