[Icecast] [Fwd: IceCast up to v2.20 multiple vulnerabilities]

Michael Smith mlrsmith at gmail.com
Sun Mar 20 17:24:05 PST 2005


> 1) The XSL parser has some unchecked buffers (local), but they dont seem
> to be exploitable. If they are, they can be used for priviledge
> escalation, under the user that the server runs.
> 
> <xsl:when test="<lots of chars>"></xsl:when>
> <xsl:if test="<lots of chars>"></xsl:if>
> <xsl:value-of select="<lots of chars>" />
> 
> 2) Cause XSL parser error "Could not parse XSLT file". (Not very useful).
> 
> GET /status.xsl> HTTP/1.0
> GET /status.xsl< HTTP/1.0
> GET /<status.xsl HTTP/1.0
> 
> 3) XSL parser bypass. (Useful to steal customized XSL files, lol).
> 
> GET /auth.xsl. HTTP/1.0
> GET /status.xsl. HTTP/1.0


For what it's worth, 2) and 3) aren't reproducible with the current
version (from svn). To my knowledge, there have been no relevant
changes here since 2.2, I'd be very surprised if they were
reproducible with 2.2 (or earlier?), but I don't really have the time
to test. I still don't know what 1) is about, so I'm not sure if that
matters.

Mike


More information about the Icecast mailing list