|
Bugtraq Announces SHOUTCast Security Problem
Various
OSAll Staff
Itīs been two days since Bugtraq announced a major security problem in SHOUTCast, the mp3 streaming software. SHOUTCast is currently used by around six hundred servers and more than two thousand listeners at any oone time.
The problem, as described by the advisory on Bugtraq, is that the SHOUTCast administration password is stored in plaintext in a configuration file. By default installation the configuration file is world-readable although it is possible to change the permissions.
Winamp (owned by AOL), the manufacturer of SHOUTCast has yet to respond to the security problem and apparently has no plans to change the storage of passwords or the permissions on the configuration files.
Winamp did not answer OSAllīs e-mail. The Bugtraq-posted advisory is reprinted with permission below:
Greetings Bugtraq, this is my first posting of an advisory, so go easy on me =)
I was recently setting up a Nullsoft SHOUTcast server to relay some content when I noticed the Administrator password is stored plain text in the configuration file (./sc_serv.conf by default).
The password is also LOGGED when the web based administration tool is used. It can be obtained by simply grep'ing the logfile output. The offending line is here:
<08/20/99@06:11:41> [http:1 my.computer.com] REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE 5.0; Windows 98))
Obtaining the Administrator password allows administration via the web based system, as well has hijacking the content stream going out to listeners.
Quick fix would be simply chmod the log and config files to prevent world reading. Nullsoft should of course parse there log output for sensitive data, and possibly look into UNIX crypt() for its passwords.
-arr0w
|
