Icecast Encoded Traversal Arbitrary File Access

medium Nessus Plugin ID 15396

Synopsis

The remote streaming audio server is affected by an information disclosure vulnerability.

Description

The remote server runs a version of Icecast, an open source streaming audio server, which is version 1.3.10 or older.

These versions are affected by a directory traversal flaw because the application fails to properly sanitize user-supplied input.

An attacker could send a specially crafted URL to view arbitrary files on the system.

*** Nessus reports this vulnerability using only
*** information that was gathered.

Solution

Upgrade to Icecast 1.3.12 or later as this reportedly fixes the issue.

See Also

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-020.0.txt

https://seclists.org/bugtraq/2001/Jun/373

Plugin Details

Severity: Medium

ID: 15396

File Name: icecast_dir_traversal.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 10/1/2004

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:icecast:icecast

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 6/26/2001

Reference Information

CVE: CVE-2001-0784

BID: 2932

DSA: 089