• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Icecast Server Slash File Name Denial Of Service Vulnerability

Severity: HIGH

Description:

Icecast is an open source audio-streaming server for both Unix and Microsoft Windows systems.

A problem has been discovered in the software that could allow an attacker to gain access to sensitive information. The problem is in the handling of URL requests for files that end with a slash.

Icecast does not sufficiently sanitize user-supplied input, or sanely handle unexpected input. Upon receiving a request from a user for a file that ends with a slash or period, the server will crash. The behaviour occurs when the remote attacker adds an '/', '\' or '.' to the end the URL they craft to request the file. The request of an existing file is not necessary, as the Icecast server will fail regardless.

The successful exploitation results in a denial of service. The server much be manually restarted, or relaunched by a watchdog process to resume normal operation.

Affected Products:

• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Conectiva Linux 4.1.0
• Conectiva Linux 4.2.0
• Conectiva Linux 5.0.0
• Conectiva Linux 5.1.0
• Conectiva Linux 6.0.0
• Icecast Icecast 1.0.0.0
• Icecast Icecast 1.1.0.0
• Icecast Icecast 1.1.1
• Icecast Icecast 1.1.2
• Icecast Icecast 1.1.3
• Icecast Icecast 1.1.4
• Icecast Icecast 1.3.0.0
• Icecast Icecast 1.3.0.10
• Icecast Icecast 1.3.10-1
• Icecast Icecast 1.3.5
• Icecast Icecast 1.3.5-1
• Icecast Icecast 1.3.7
• Icecast Icecast 1.3.7-1
• Icecast Icecast 1.3.8
• Icecast Icecast 1.3.8 beta2
• Icecast Icecast 1.3.9
• Icecast Icecast 1.3.9-1
• Icecast Icecast 1.3.9-2

References:

• Icecast: Icecast Product Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.