| VID |
22283 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Icecast program, according to its version number, has a Directory Traversal Vulnerability.
Icecast is an open-source mp3 broadcasting program for Windows and Unix-based operating systems. Icecast 1.3.9 version and earlier could allow a remote attacker to traverse directories on the Web server. By sending a specially-crafted URL containing hexadecimal URL encoded "dot dot" sequences "/%2E%2E/" (in place of the standard "dot dot" sequences used for this type of attack), a remote attacker could traverse directories and read arbitrary files on the Web server.
* Note: This check solely relied on the version number of the remote Icecast to assess this vulnerability, so this might be a false positive.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=1883
* Platforms Affected:
Icecast 1.3.9 and prior
Linux Any version |
| Recommendation |
Upgrade to the latest version of Icecast (1.3.12 or later) fixed this issue, available from the Icecast Web site at http://svn.xiph.org/releases/icecast/
For Debian GNU/Linux 2.2:
Upgrade to the latest version of icecast (1.3.10-1 or later), as listed in Debian Security Advisory DSA-089-2 at http://www.debian.org/security/2001/dsa-089
For Red Hat Powertools 7.0 and 7.1:
Upgrade to the latest version of icecast (1.3.12-1 or later), as listed in Red Hat, Inc. Red Hat Security Advisory RHSA-2002:063-05 at http://rhn.redhat.com/errata/RHSA-2002-063.html
For Caldera OpenLinux Server 3.1 and 3.1.1:
Upgrade to the latest version of icecast (1.3.12-1 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-020.0 at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-020.0.txt
For other distributions:
Contact your vendor for patch or upgrade information. |
| Related URL |
CVE-2001-0784 (CVE) |
| Related URL |
2932 (SecurityFocus) |
| Related URL |
6752 (ISS) |
|
