Package: icecast2
Version: 2.4.0-1.1
Severity: important
icecast can be killed by anyone with a simple HTTP request when
<authentication type="url"> is used and a stream_auth handler is
defined.
Example configuration:
<mount>
<mount-name>/test</mount-name>
<authentication type="url">
<option name="stream_auth" value="http://127.0.0.1/bla"/>
</authentication>
</mount>
(Note: It does not matter where the URL for stream_auth points to,
if it is reachable or not. Actually icecast dies before even
accessing that URL.)
Given the above configuration anyone can now easily kill icecast
by this command:
wget http://<servername>:8000/admin/killsource?mount=/test
This only happens when making a request WITHOUT login credentials.
I'm marking this bug important but it might justify a higher
severity. With this security problem the package appears unfit
for release.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
