• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Icecast XSL Parser Multiple Vulnerabilities

Severity: HIGH

Description:

Icecast is a freely available, open source streaming audio server. Icecast is available for the Unix, Linux, and Microsoft Windows platforms.

Icecast is reported prone to multiple vulnerabilities. The following individual issues are reported:

Icecast XSL parser is reported to be prone to a buffer overflow vulnerability. This issue exists due to a lack of sufficient boundary checks performed on XSL 'when', 'if', and 'value-of' tag values before copying these values into a finite buffer in process memory. It is reported that the vulnerability manifests when a malicious XSL file is parsed by the affected software.

An attacker may craft a malicious XSL file that is sufficient to trigger the vulnerability and transmit this file to a system administrator. If the administrator adds the file to a publicly accessible Icecast folder, the attacker may request the file and trigger the issue. This may result in a denial of service or potentially code execution in the context of the user that is running the affected software.

It is reported that the Icecast XSL parser is prone to an information disclosure vulnerability. It is reported that the parser fails to parse XSL files when a request for such a file is appended with a dot '.' character, instead serving the XSL content to the source of the request. Icecast XSL files may potentially contain sensitive data that is not supposed to be disclosed to remote users.

A remote attacker may exploit this vulnerability to disclose the contents of XSL files that can be requested publicly. Information that is harvested by exploiting this vulnerability may be used to aid in further attacks against the target computer.

These vulnerabilities are reported to affect Icecast version 2.20, other versions might also be affected.

Affected Products:

• Icecast Icecast 2.0.0
• Icecast Icecast 2.0.1
• Icecast Icecast 2.0.2
• Icecast Icecast 2.1.0 .0
• Icecast Icecast 2.2.0

References:

• Icecast: Icecast Product Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.