Vulnerability Development mailing list archives
Re: VANED LABS: icecast filesystem disclosure
From: <matt () palecrow com>
Date: 16 Jul 2002 20:25:58 -0000
In-Reply-To: <20020709183903.GA1407 () VANED NET>
Icecast allows for remote probing of the underlying filesystem structure. (on a side note, this can also
be used to list
files with a .mp3 extension anywhere on the system.
send_file() does do
traversal checking.)
Just an FYI: maybe Icecast has further info about this, but I think it might be a good idea to 'jail' Icecast if possible. A little while back I wrote a paper describing how to do that specifically with Icecast. You'll have to search for 'icecast' in the following page to get to the walkthrough. http://www.palecrow.com/chroot-jail-paper.html If they haven't already, I'd like it if Icecast developers would incorporate the ability to jail the server during the install, as a further protection against bad inputs and file snooping. Thanks! Matt Borland
Current thread:
- VANED LABS: icecast filesystem disclosure glaive (Jul 09)
- <Possible follow-ups>
- Re: VANED LABS: icecast filesystem disclosure matt (Jul 16)