SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   Icecast Vendors:   Icecast.org
(Debian Issues Revised Fix) Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely
SecurityTracker Alert ID:  1003311
SecurityTracker URL:  http://securitytracker.com/id/1003311
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 21 2002
Impact:   Denial of service via network, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3.7 for Windows
Description:   Two vulnerabilities have been reported in the Windows version of Icecast. The vulnerabilities allow remote users to cause the service to crash and allow remote users to obtain MP3 files located outside of the main Web catalog directory.

If the Icecast server has the http-server file streaming support enabled (which is not the default configuration), a remote user can reportedly cause the Icecast application to crash by adding an extra "/" or "\" to the end of the requested MP3 filename. The following format will trigger the vulnerability:

"http://[targethost]:8000/file/test.mp3/"

A remote user can can also retrieve MP3 files that reside outside of the Web catalog directory by using encoded characters in the MP3 request. A remote user can replace ascii-values for each ".", thus using "/%25%25/" instead of "/../" will up the directory tree. The following format will trigger the vulnerability (if test1.mp3 is located in the appropriate directory:

"http://[targethost]:8000/file/%2E%2E/test1.mp3

Impact:   A remote user can cause the Icecast server application to crash and can retrieve MP3 files from the drive the the server is installed on.
Solution:   The vendor has released a revised fix. The i386 package mention in the original alert (in DSA-089-1 advisory) was incorrectly compiled and will not run on Debian GNU/Linux potato machines. This has been corrected in version 1.3.10-1.1.

Debian GNU/Linux 2.2 alias potato:

Potato was released for alpha, arm, i386, m68k, powerpc and sparc. This advisory only updates the i386 package.

Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/icecast-server_1.3.10-1.1_i386.deb
MD5 checksum: 6777c4acf5c95daf691597ed5b9ee502

This package will be moved into the stable distribution on its next revision.

For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/

Vendor URL:  www.icecast.org/ (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 26 2001 Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely



 Source Message Contents

Date:  Mon, 21 Jan 2002 21:27:49 +0100
Subject:  [SECURITY] [DSA-089-2] updated i386 icecast-server package


-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-089-2                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
January 21, 2002
- ------------------------------------------------------------------------


Package        : icecast-server
Problem type   : remote exploit (and others)
Debian-specific: no

In Debian Security Advisory DSA-089-1 we reported that icecast-server
has several security problems. For details please see that advisory.

The i386 package mention in the DSA-089-1 advisory was incorrectly
compiled and will not run on Debian GNU/Linux potato machines. This
has been corrected in version 1.3.10-1.1.


wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
  This advisory only updates the i386 package.

  Intel IA-32 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-i386/icecast-server_1.3.10-1.1_i386.deb
      MD5 checksum: 6777c4acf5c95daf691597ed5b9ee502

  This package will be moved into the stable distribution on its next
  revision.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBPEx5vajZR/ntlUftAQE0WQMAi+Jb3wr7WGM/RhzcQKhuQ+LJxgwH55gu
TDbuPkAH36iAshNGsKari2wGuRgpQi82toK53TKnjunNu+LP4oYWWGc6BgeVFVkK
IeHMDKaJN2aQPEPSfr9QDCy9L6ij0vtq
=seh/
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC