Re: VANED LABS: icecast filesystem disclosure

[<matt () palecrow com>]

In-Reply-To: <20020709183903.GA1407 () VANED NET>

> Icecast allows for remote probing of the underlying
> filesystem structure.  (on a side note, this can also
be used to list
> files with a .mp3 extension anywhere on the system. 
send_file() does do
> traversal checking.)

Just an FYI: maybe Icecast has further info about this,
but I think it might be a good idea to 'jail' Icecast
if possible. 

A little while back I wrote a paper describing how to
do that specifically with Icecast.  You'll have to
search for 'icecast' in the following page to get to
the walkthrough. 

http://www.palecrow.com/chroot-jail-paper.html

If they haven't already, I'd like it if Icecast
developers would incorporate the ability to jail the
server during the install, as a further protection
against bad inputs and file snooping.

Thanks!

Matt Borland