(Debian Issues Revised Fix) Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Multimedia) > Icecast

Vendors: Icecast.org

(Debian Issues Revised Fix) Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely

SecurityTracker Alert ID: 1003311

SecurityTracker URL: http://securitytracker.com/id/1003311

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jan 21 2002

Impact: Denial of service via network, Disclosure of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 1.3.7 for Windows

Description: Two vulnerabilities have been reported in the Windows version of Icecast. The vulnerabilities allow remote users to cause the service to crash and allow remote users to obtain MP3 files located outside of the main Web catalog directory.

If the Icecast server has the http-server file streaming support enabled (which is not the default configuration), a remote user can reportedly cause the Icecast application to crash by adding an extra "/" or "\" to the end of the requested MP3 filename. The following format will trigger the vulnerability:

"http://[targethost]:8000/file/test.mp3/"

A remote user can can also retrieve MP3 files that reside outside of the Web catalog directory by using encoded characters in the MP3 request. A remote user can replace ascii-values for each ".", thus using "/%25%25/" instead of "/../" will up the directory tree. The following format will trigger the vulnerability (if test1.mp3 is located in the appropriate directory:

"http://[targethost]:8000/file/%2E%2E/test1.mp3

Impact: A remote user can cause the Icecast server application to crash and can retrieve MP3 files from the drive the the server is installed on.

Solution: The vendor has released a revised fix. The i386 package mention in the original alert (in DSA-089-1 advisory) was incorrectly compiled and will not run on Debian GNU/Linux potato machines. This has been corrected in version 1.3.10-1.1.

Debian GNU/Linux 2.2 alias potato:

Potato was released for alpha, arm, i386, m68k, powerpc and sparc. This advisory only updates the i386 package.

Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/icecast-server_1.3.10-1.1_i386.deb
MD5 checksum: 6777c4acf5c95daf691597ed5b9ee502

This package will be moved into the stable distribution on its next revision.

For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/

Vendor URL: www.icecast.org/ (Links to External Site)

Cause: Access control error, Exception handling error, Input validation error

Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History: This archive entry is a follow-up to the message listed below.

Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely

Source Message Contents

Date: Mon, 21 Jan 2002 21:27:49 +0100
Subject: [SECURITY] [DSA-089-2] updated i386 icecast-server package

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-089-2 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
January 21, 2002
- ------------------------------------------------------------------------

Package : icecast-server
Problem type : remote exploit (and others)
Debian-specific: no

In Debian Security Advisory DSA-089-1 we reported that icecast-server
has several security problems. For details please see that advisory.

The i386 package mention in the DSA-089-1 advisory was incorrectly
compiled and will not run on Debian GNU/Linux potato machines. This
has been corrected in version 1.3.10-1.1.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

Debian GNU/Linux 2.2 alias potato
- ---------------------------------

Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
This advisory only updates the i386 package.

Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/icecast-server_1.3.10-1.1_i386.deb
MD5 checksum: 6777c4acf5c95daf691597ed5b9ee502

This package will be moved into the stable distribution on its next
revision.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- --
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBPEx5vajZR/ntlUftAQE0WQMAi+Jb3wr7WGM/RhzcQKhuQ+LJxgwH55gu
TDbuPkAH36iAshNGsKari2wGuRgpQi82toK53TKnjunNu+LP4oYWWGc6BgeVFVkK
IeHMDKaJN2aQPEPSfr9QDCy9L6ij0vtq
=seh/
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC