Bug#782120: icecast2: icecast can be remotely killed by anyone if using <authentication type="url"> and stream_auth option
Juliane Holzt
juliane at holzt.de
Wed Apr 8 05:59:15 UTC 2015
Package: icecast2
Version: 2.4.0-1.1
Severity: important
icecast can be killed by anyone with a simple HTTP request when
<authentication type="url"> is used and a stream_auth handler is
defined.
Example configuration:
<mount>
<mount-name>/test</mount-name>
<authentication type="url">
<option name="stream_auth" value="http://127.0.0.1/bla"/>
</authentication>
</mount>
(Note: It does not matter where the URL for stream_auth points to,
if it is reachable or not. Actually icecast dies before even
accessing that URL.)
Given the above configuration anyone can now easily kill icecast
by this command:
wget http://<servername>:8000/admin/killsource?mount=/test
This only happens when making a request WITHOUT login credentials.
I'm marking this bug important but it might justify a higher
severity. With this security problem the package appears unfit
for release.
More information about the pkg-multimedia-maintainers
mailing list