Today we have released a maintenance version of both nDPI and ntopng that address minor issues present in the previous stable release. In particular for ntopng we have addressed many small security holes identified by security researchers (our thanks go to Luca Carettoni), and thus we encourage you to upgrade when possible; note that for all these attacks you needed a valid ntopng user and password before to perform them, so their danger level is not too high, but still we encourage you too upgrade. Finally this release contains patches and enhancements courtesy of Debian maintainer Ludovico Cavedon who has packaged both ntopng and nDPI apps for Debian/Ubuntu.
- Added support for SSL client/server certificate export in nDPI flows
- Added missing -lrt and -lnl libraries required when compiling the demo ndpiReader application with PF_RING..
- json-c is now optional for the demo ndpiReader application.
- Added missing symbols not previously exported by the nDPI shared library.
- Fixes for Mac OSX HomeBrew package.
- Various fixes to prevent security attacks
- CSRF attacks
- XSS attacks
- Local file inclusion now checks paths (globbing) even for authenticated users
- Added check for CRSF attacks (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
- Added extra checks for preventing XSS (http://en.wikipedia.org/wiki/Cross-site_scripting)
- Fix for Set-Cookie HttpOnly
- Added XFrameOptions: DENY in http headers to prevent clickjacking attacks
- Specified charset ISO88591 in HTML resposes to avoid attackers to bypass application’s defensive filters
- Fixes for
- CVE-2014-5464 – Steffen Bauch
- CVE-2014-4329 – Madhu Akula
- CVE-2014-5511, CVE-2014-5512, CVE-2014-5513, CVE-2014-5514, CVE-2014-5515 – Luca Carettoni
- Patches for CentOS 7, Mac OSX HomeBrew, and Debian package.
- Various minor fixes.