Hi,
It seems like the URL problem I reported previously is more complex.
The problem is checkURLsecurity() in http.c. The checks for // (and
for some other fishy stuff like &&, ??) in the URL, and returns with
an error.
After that an HTTP error response is returned to the client and the
built in HTTP server freezes, not answering requests. NTOP must be
restarted.
It is clearly a BUG, at least on my setup (current CVS version), in
addition, it makes way for a DoS attack.
Best Regards,
khazy
PS: Apache substitutes '//' in URLs with '/' if '//' appears in the
server local part of the URL, and answers the request without problem.
Just try it on an Apache server.
_______________________________________________________________________________
Tamas Kovacshazy E-mail: [EMAIL PROTECTED] WWW: http://www.mit.bme.hu/~khazy
Budapest University of Technology and Economics
Department of Measurement and Information Systems WWW: http://www.mit.bme.hu
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
