Korean

<< Back VID 22286 Severity 30 Port 80, ... Protocol TCP Class WWW Detailed Description The Icecast program, according to its version number, has a Crafted URL Denial of Service Vulnerability. Icecast is an open-source mp3 broadcasting program for Windows and Unix-based operating systems. Icecast version 1.3.7, and possibly several versions are vulnerable to a denial of service attack, caused by sufficiently sanitizing user-supplied input, or sanely handling unexpected input. If HTTP server file streaming support is enabled, a remote attacker can send a URL request for an mp3 file to the server appended with a "/" or "\", to cause the server to crash. The server must be restarted to regain normal functionality. * Note: This check solely relied on the version number of the remote Icecast to assess this vulnerability, so this might be a false positive. * References: http://www.osvdb.org/displayvuln.php?osvdb_id=5472 http://securitytracker.com/alerts/2001/Jun/1001838.html * Platforms Affected: Icecast 1.3.7 Linux Any version Recommendation Upgrade to the latest version of Icecast (1.3.12 or later) fixed this issue, available from the Icecast Web site at http://svn.xiph.org/releases/icecast/ For Debian GNU/Linux 2.2: Upgrade to the latest version of icecast (1.3.10-1 or later), as listed in Debian Security Advisory DSA-089-2 at http://www.debian.org/security/2001/dsa-089 For Red Hat Powertools 7.0 and 7.1: Upgrade to the latest version of icecast (1.3.12-1 or later), as listed in Red Hat, Inc. Red Hat Security Advisory RHSA-2002:063-05 at http://rhn.redhat.com/errata/RHSA-2002-063.html For Caldera OpenLinux Server 3.1 and 3.1.1: Upgrade to the latest version of icecast (1.3.12-1 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-020.0 at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-020.0.txt For other distributions: Contact your vendor for patch or upgrade information. Related URL CVE-2001-1083 (CVE) Related URL 2933 (SecurityFocus) Related URL 6751 (ISS)