Hi,
While looking at icecast's sources, I wondered if this was feasible, so
I've tried and it seems to work:
the attached patch allows a /cgi-bin/ url in icecast-1.3.11 to launch cgi
scripts directly from within icecast.
you have to put the real absolute pathname to the cgi script, and it seems
to more or less work.
WARNING: you must use two slashes after "cgi-bin" for an absolute
path,
else the script will be launched from icecast's current directory.
of course this is not secure at all yet, but anyway maybe it's useful to
someone as a starting point.
any comment ?
Jerome Alet - alet@unice.fr - http://cortex.unice.fr/~jerome
Fac de Medecine de Nice http://wwwmed.unice.fr
Tel: (+33) 4 93 37 76 30 Fax: (+33) 4 93 53 15 15
28 Avenue de Valombrose - 06107 NICE Cedex 2 - FRANCE
diff -ubrw icecast-1.3.11/src/client.c icecast-1.3.11-cgipatch/src/client.c
--- icecast-1.3.11/src/client.c Thu Aug 2 01:06:53 2001
+++ icecast-1.3.11-cgipatch/src/client.c Wed Nov 7 15:26:24 2001
@@ -206,6 +206,42 @@
return;
}
+#ifdef HAVE_UNISTD_H
+ if (ice_strncmp(req.path, "/cgi-bin/", 9) == 0) {
+ char *fname;
+ FILE *cgioutput;
+ char buffer[8192];
+ int status;
+ size_t count;
+
+ thread_rename("CGI Script Thread");
+ fname = req.path + 9;
+ if (*fname) {
+ cgioutput = popen(fname, "r");
+ if (cgioutput != NULL) {
+ while ((count = fread(buffer, 1, sizeof(buffer), cgioutput))) {
+ sock_write_bytes(con->sock, buffer, count);
+ }
+ status = pclose(cgioutput);
+ if (WIFEXITED(status)) {
+ if (WEXITSTATUS(status)) {
+ kick_not_connected(con, "CGI Script terminated with an error");
+ } else {
+ kick_not_connected(con, "CGI Script terminated with no error");
+ }
+ } else {
+ kick_not_connected(con, "CGI Script terminated abnormally");
+ }
+ } else {
+ kick_not_connected(con, "Error in popen");
+ }
+ } else {
+ kick_not_connected(con, "No CGI Script name");
+ }
+ return;
+ }
+#endif
+
xa_debug (1, "Looking for mount [%s:%d%s]", req.host,
req.port, req.path);
/* Try to find a mount point with this name */
--- >8 ----
List archives: http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-dev-request@xiph.org'
containing only the word 'unsubscribe' in the body. No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.
Jack Moffitt wrote:>I recommend that _no one_ run this patch on any server. It allows >execution access to any file on the system as the user that icecast is >run as. This is a surefire way to get yourself hacked to hell. > >The idea is nice, but you should really pay a lot more attention to >security issues. cgi's need to be run from a certain directory only. >You shouldn't allow arbitrary files to be executed. Also you need to >pass a modified environment to the script in order for this to be real >CGI. >that said, whenever possible, always let a web server do what it is worth, including serving cgi-bin scripts, dynamic webpages, or static content. let the webserver do everything other than streaming. i even strongly recommend using httpd to serve the static directory in icecast. if you're going to serve a lot of static files, this not only takes the load off icecast, httpd is also more fine tuned for performance, security, and standard compliance in this case. most icecast servers uses port 8000, so it doesn't fight with a web server. also, i have a question regarding patches ... if i want to look for potential bugs and perhaps donate a bugfix, is it better to do it for the current stable release (1.3.11) or is it better to work on icecast 2.0? what is the development plan now? liulk --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-dev-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
On Wed, 7 Nov 2001, Jack Moffitt wrote:> > of course this is not secure at all yet, but anyway maybe it's useful to > > someone as a starting point. > > > > any comment ? > > I recommend that _no one_ run this patch on any server. It allows > execution access to any file on the system as the user that icecast is > run as. This is a surefire way to get yourself hacked to hell.You're perfectly right of course ! This was just a try, if you put this on a production server you should be shot dead immediately ;-) and that's why I didn't post it to icecast@xiph.org ! Please consider this as a starting point, it was a 30 minutes hack without knowing any of icecast internals. I even don't know how popen behaves in a heavily multithreaded application.> cgi's need to be run from a certain directory only.yes, but I didn't want to put it in /static/ and I didn't want to add an entry to the config file just for testing. a new cgi-dir entry in icecast.conf would be fine, and if unset it would be completely deactivated for security reasons. maybe a cgi-user and a cgi-follow-symlinks entries would be fine too.> You shouldn't allow arbitrary files to be executed. Also you need to > pass a modified environment to the script in order for this to be real > CGI.Yes, the following test program was used and may prove to be useful in testing such a functionnality : --- CUT --- #! /usr/bin/python import cgi cgi.test() --- CUT --- Are you interested in me trying to make it more secure or do you prefer to let other servers (Apache) handle this sort of things and stop now ? Again this was just a quick hack and I don't mind putting it in the trashcan. bye, Jerome Alet --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-dev-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
> of course this is not secure at all yet, but anyway maybe it's useful to > someone as a starting point. > > any comment ?I recommend that _no one_ run this patch on any server. It allows execution access to any file on the system as the user that icecast is run as. This is a surefire way to get yourself hacked to hell. The idea is nice, but you should really pay a lot more attention to security issues. cgi's need to be run from a certain directory only. You shouldn't allow arbitrary files to be executed. Also you need to pass a modified environment to the script in order for this to be real CGI. jack. --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-dev-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.