Icecast Access Arbitrary Files

2001-06-26T00:00:00
ID OSVDB:1883
Type osvdb
Reporter GoLLuM.no(gollum@digit-labs.org)
Modified 2001-06-26T00:00:00

Description

Vulnerability Description

Icecast contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Solution Description

Upgrade to version 1.3.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Icecast contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Manual Testing Notes

http://[victim]:8000/file/%2E%2E/test1.mp3

References:

Vendor URL: http://www.icecast.org/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Other Advisory URL: http://www.digit-labs.org/files/advisory/DLA-25-06-2001.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-06/0353.html Keyword: Directory Traversal ISS X-Force ID: 6752 CVE-2001-0784 Bugtraq ID: 2932