From owner-freebsd-security  Mon Dec 10 19:59:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-95.dsl.lsan03.pacbell.net [63.207.60.95])
	by hub.freebsd.org (Postfix) with ESMTP id BCD9037B405
	for <freebsd-security@freebsd.org>; Mon, 10 Dec 2001 19:59:21 -0800 (PST)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 41F7266BCE; Mon, 10 Dec 2001 19:59:21 -0800 (PST)
Date: Mon, 10 Dec 2001 19:59:21 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Rik <freebsd-security@rikrose.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Why is web mode (-w) disabled in ntop port?
Message-ID: <20011210195921.A51790@xor.obsecurity.org>
References: <20011211022743.A29482@spoon.pkl.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011211022743.A29482@spoon.pkl.net>; from freebsd-security@rikrose.net on Tue, Dec 11, 2001 at 02:27:43AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 11, 2001 at 02:27:43AM +0000, Rik wrote:
> Hi all,
>=20
> I saw ntop in action at BSDCon Europe, and I have decided to try it out
> for myself. I primarily wanted to tinker with the web interface, only to
> find that it has been unconditionally disabled with a patch applied by
> the ports tree.
>=20
> I was wondering: Why? IT simply says it was disabled "for security
> reasons". Does it hae some kind of dire security problem which hasn't
> yet been resolved, except by disabling the feature?

Yes.

> And can someone tell be whether it was better ettiquette to ask the list
> rather than the port maintainer directly?

It's better ettiquette to do the research yourself before asking; 10
seconds of looking through the list of FreeBSD Security Advisories at
http://www.freebsd.org/security shows you this:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:36.ntop.asc

Kris
--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8FYR6Wry0BWjoQKURApzzAJ0dNkiAMTpfaWs29kRQJr0mJnH3igCePb6G
7rmd3nSzV53yPmoAKtaJmN8=
=Jnb7
-----END PGP SIGNATURE-----

--d6Gm4EdcadzBjdND--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message