Icecast Server远程目录遍历漏洞

Icecast Server远程目录遍历漏洞

漏洞ID 1106839 漏洞类型 输入验证
发布时间 2002-07-09 更新时间 2005-10-20
图片[1]-Icecast Server远程目录遍历漏洞-安全小百科CVE编号 CVE-2002-1982
图片[2]-Icecast Server远程目录遍历漏洞-安全小百科CNNVD-ID CNNVD-200212-101
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/21602
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-101
|漏洞详情
Icecast是一款免费开放源代码的音频流服务程序,可使用在多种Unix/Linux操作系统平台下,也可以使用在MicrosoftWindows操作系统下。Icecast服务程序对用户提交的输入缺少正确充分的检查,远程攻击者可以利用这个漏洞进行目录遍历攻击。Icecast服务程序中的list_directory()函数对用户提交的请求缺少充分的过滤,远程攻击者可以提交包含多个’../’字符的URL请求,可导致以Icecast进程的权限查看系统中任意文件内容。
|漏洞EXP
source: http://www.securityfocus.com/bid/5189/info


Icecast is a freely available, open source streaming audio server. Icecast is available for the Unix, Linux, and Microsoft Windows platforms.

An attacker may exploit a directory traversal vulnerability in Icecast server to determine the existance of a specified directory outside of the web root. This is a result of the server returning different HTTP results for each case.

GET /file/../../../../../../../../nonexistent/ HTTP/1.0

GET /file/../../../../../../../../etc/ HTTP/1.0
|参考资料

来源:BID
名称:5189
链接:http://www.securityfocus.com/bid/5189
来源:XF
名称:icecast-dotdot-information-disclosure(9530)
链接:http://www.iss.net/security_center/static/9530.php
来源:NSFOCUS
名称:3095
链接:http://www.nsfocus.net/vulndb/3095

相关推荐: Hot Area Banner Rotation 01 and Dream Catcher Advertiser World-Readable Password Vulnerability

Hot Area Banner Rotation 01 and Dream Catcher Advertiser World-Readable Password Vulnerability 漏洞ID 1104154 漏洞类型 Access Validation…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享