[icecast-dev] [PATCH] is it of any interest ?

Jerome Alet alet at unice.fr
Wed Nov 7 07:44:22 PST 2001

On Wed, 7 Nov 2001, Jack Moffitt wrote:

> > of course this is not secure at all yet, but anyway maybe it's useful to
> > someone as a starting point.
> > 
> > any comment ?
> I recommend that _no one_ run this patch on any server.  It allows
> execution access to any file on the system as the user that icecast is
> run as.  This is a surefire way to get yourself hacked to hell.

You're perfectly right of course ! 

This was just a try, if you put this on a production server you should be
shot dead immediately ;-) and that's why I didn't post it to
icecast at xiph.org !

Please consider this as a starting point, it was a 30 minutes hack without
knowing any of icecast internals. I even don't know how popen behaves in
a heavily multithreaded application.
> cgi's need to be run from a certain directory only.

yes, but I didn't want to put it in /static/ and I didn't want to 
add an entry to the config file just for testing.

a new cgi-dir entry in icecast.conf would be fine, and if unset it would
be completely deactivated for security reasons.

maybe a cgi-user and a cgi-follow-symlinks entries would be fine too.

> You shouldn't allow arbitrary files to be executed.  Also you need to
> pass a modified environment to the script in order for this to be real
> CGI.

Yes, the following test program was used and may prove to be useful in
testing such a functionnality :

--- CUT ---
#! /usr/bin/python

import cgi
--- CUT ---

Are you interested in me trying to make it more secure or do you prefer to
let other servers (Apache) handle this sort of things and stop now ? Again
this was just a quick hack and I don't mind putting it in the trashcan.


Jerome Alet

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-dev-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.

More information about the Icecast-dev mailing list