Matthias Geerdsen
2004-Sep-02 01:34 UTC
[Icecast-dev] Icecast 2 affected by cross-site scripting vulnerability in status-display?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, since Icecast <=1.3.12 has been affected by a cross-site scripting vulnerability in the status display (s. <http://securitytracker.com/alerts/2004/Aug/1011046.html> and <http://www.debian.org/security/2004/dsa-541>) it appears to be unclear so far if Icecast 2.x is vulnerable too. Can anyone of you maybe confirm it is affected/not affected? Regards, Matthias -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBNtrS0MwiQdjL1BgRAl0MAJ4mI20UAVboD2CmFZiM2z6g6itWbgCdHGmC mZyhWxpTZTAw6brLzWV7Oh8=QEw0 -----END PGP SIGNATURE-----
Geoff Shang
2004-Sep-02 20:22 UTC
[Icecast-dev] Icecast 2 affected by cross-site scripting vulnerability in status-display?
Hi: Icecast 2.x is a complete rewrite, so any bugs in icecast 1.x are not necessarily present in version 2. This is not to say that the bug doesn't exist, just that it doesn't exist by virtue of having inherited it from icecast 1. Note that I'm not a developer so I can't answer your question as such. Maybe try to reproduce the bug? Geoff.
Michael Smith
2004-Sep-02 21:09 UTC
[Icecast-dev] Icecast 2 affected by cross-site scripting vulnerability in status-display?
On Thursday 02 September 2004 18:33, Matthias Geerdsen wrote:> Hi, > > since Icecast <=1.3.12 has been affected by a cross-site scripting > vulnerability in the status display (s. > <http://securitytracker.com/alerts/2004/Aug/1011046.html> and > <http://www.debian.org/security/2004/dsa-541>) it appears to be unclear > so far if Icecast 2.x is vulnerable too. Can anyone of you maybe confirm > it is affected/not affected? > > Regards, > MatthiasIt is possible (but unlikely, I think - we've generally been careful about this sort of thing) that icecast 2.x is vulnerable to problems of a similar _type_ to this. However, 2.x cannot be vulnerable to this _specific_ problem, since it's a completely different codebase. Mike