Title: Icecast Directory Traversal Vulnerability
Severity: HIGH
Description:
Icecast is an open source audio-streaming server for both Unix and Microsoft Windows systems.
A problem has been discovered in the software that could allow an attacker to gain access to sensitive information. The problem is in the handling of encoded URL requests.
Icecast does not filter encoded characters from URLs when receiving web requests. If a remote attacker crafts a URL containing the ASCII equivalent of directory traversal characters, it is possible to escape Icecast's "root" directory. This will allow the attacker to view files readable by the ownership and group membership of the icecast server.
This could allow a remote user to gain sensitive information, such as usernames, and depending on the privileges of the icecast server, passwords.
Affected Products:
- Caldera OpenLinux Server 3.1.0
- Caldera OpenLinux Server 3.1.1
- Conectiva Linux 4.1.0
- Conectiva Linux 4.2.0
- Conectiva Linux 5.0.0
- Conectiva Linux 5.1.0
- Conectiva Linux 6.0.0
- Icecast Icecast 1.0.0.0
- Icecast Icecast 1.1.0.0
- Icecast Icecast 1.1.1
- Icecast Icecast 1.1.2
- Icecast Icecast 1.1.3
- Icecast Icecast 1.1.4
- Icecast Icecast 1.3.0.0
- Icecast Icecast 1.3.0.10
- Icecast Icecast 1.3.5
- Icecast Icecast 1.3.5-1
- Icecast Icecast 1.3.7
- Icecast Icecast 1.3.7-1
- Icecast Icecast 1.3.8
- Icecast Icecast 1.3.8 beta2
- Icecast Icecast 1.3.9
- Icecast Icecast 1.3.9-1
- Icecast Icecast 1.3.9-2
References:
- Icecast: Icecast Product Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
