Icecast dev - Sep 2004 - Icecast 2 affected by cross-site scripting vulnerability in status-display?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

since Icecast <=1.3.12 has been affected by a cross-site scripting
vulnerability in the status display (s.
<http://securitytracker.com/alerts/2004/Aug/1011046.html> and
<http://www.debian.org/security/2004/dsa-541>) it appears to be unclear
so far if Icecast 2.x is vulnerable too. Can anyone of you maybe confirm
it is affected/not affected?

Regards,
	Matthias

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNtrS0MwiQdjL1BgRAl0MAJ4mI20UAVboD2CmFZiM2z6g6itWbgCdHGmC
mZyhWxpTZTAw6brLzWV7Oh8=QEw0
-----END PGP SIGNATURE-----

Hi:

Icecast 2.x is a complete rewrite, so any bugs in icecast 1.x are not 
necessarily present in version 2.  This is not to say that the bug doesn't 
exist, just that it doesn't exist by virtue of having inherited it from 
icecast 1.

Note that I'm not a developer so I can't answer your question as such. 
Maybe try to reproduce the bug?

Geoff.

On Thursday 02 September 2004 18:33, Matthias Geerdsen
wrote:
> Hi,
>
> since Icecast <=1.3.12 has been affected by a cross-site scripting
> vulnerability in the status display (s.
> <http://securitytracker.com/alerts/2004/Aug/1011046.html> and
> <http://www.debian.org/security/2004/dsa-541>) it appears to be
unclear
> so far if Icecast 2.x is vulnerable too. Can anyone of you maybe confirm
> it is affected/not affected?
>
> Regards,
> 	Matthias
It is possible (but unlikely, I think - we've generally been careful about 
this sort of thing) that icecast 2.x is vulnerable to problems of a similar 
_type_ to this. However, 2.x cannot be vulnerable to this _specific_ problem, 
since it's a completely different codebase.

Mike