Title: Winamp Web Interface Multiple Remote Vulnerabilities
Severity: HIGH
Description:
Winamp Web Interface is an open-source plugin for Winamp that allows users to access Winamp through a browser. The application is written in C++.
Winamp Web Interface is prone to multiple remote vulnerabilities, including:
- A buffer-overflow vulnerability resulting in a denial of service. Specifically, the application fails to bounds-checks user-supplied data before copying it into an insufficiently sized buffer. This issue occurs in the 'security.cpp' file. Specifically, the application fails to check the size of the username and password supplied by the user before copying the data from a 255-byte buffer into a 100-byte buffer. This issue will result in a denial of service; arbitrary code execution may be possible, but this has not been confirmed.
- A buffer-overflow vulnerability resulting in arbitrary code execution. This issue affects the 'Browse()', 'CControl::Download()', and 'CControl::Load()' functions. Specifically, the application fails to bounds-check the size of a string containing the root directory and the path directory supplied by the user before copying it into a buffer that can hold up to 260 bytes. To exploit this issue, an attacker must have 'browse', 'download', and 'load' privileges.
- A directory-traversal vulnerability. This issue occurs because the application fails to sanitize user-supplied input. Specifically, the attacker can construct a specially crafted HTTP request containing a directory-traversal string to view the content of arbitrary directories. This issue occurs in the 'Browse()' function. To exploit this issue, the attacker must have browse privileges.
- An information-disclosure vulnerability. This issue occurs because the application fails to sufficiently sanitize user-supplied input. Specifically, it fails to sanitize user-supplied input to the 'path' parameter when browsing for files. If the root directory contains a file or a directory consisting of the root directory name appended by a substring, then an attacker can download the affected file or directory. To exploit this issue, the attacker must have browse privileges.
- Arbitrary file-download vulnerability. This issue occurs because the application fails to sufficiently sanitize user-supplied input. Specifically, an attacker with download privileges may download arbitrary files when a '.' is specified after the filename. This issue occurs in the 'IsWinampFile()' function.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application, crash the affected application, deny service to legitimate users, download arbitrary files, and obtain sensitive information. Other attacks may also be possible.
Affected Products:
- flippet.org Winamp Web Interface 7.5.13
References:
- flippet.org: Winamp Web Interface Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
